“Never trust, always verify” have been the buzzwords ever since the term “zero trust” was coined. According to Pulse, 87% of decision-makers believe that zero trust security strategy will simplify their organization’s security architecture.
Traditionally, IT networks were set up such that they were impermeable from outside. But what if it was an attacker was able to pass through? The attacker gains access to all keys to the kingdom because the inside of the impermeable network trusts everyone but never verifies. In 2010, John Kindervag, an analyst at Forrester Research at the time, came up with a model of zero trust that assumes every entity as a threat and must undergo verification. The definition from the National Institute of Standards and Technology (NIST) is zero trust (ZT) is a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. Zero trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning and access policies.
With the increasing shift toward cloud, many organizations opt to migrate completely to the cloud with one or more cloud service providers. This brings along with it the issues of trust and identify verification. One of the use cases of ZTA can be applied in such situations. ZT principles make no difference between enterprise-owned and -operated network infrastructure versus vendor-owned and -operated infrastructure.
The Policy Engine (PE) component of a ZTA is responsible to grant, deny or revoke access to a resource for an entity or subject based on enterprise policies and input from intelligence sources. This can be placed in a cloud or third-party cloud provider. The Policy Enforcement Points (PEP) can be placed at the access points of each application or service and data source. The PA works closely with PE to make an allow or deny decision and communicates the decision to PEP for its implementation.
Trust should never be granted implicitly but must be continually evaluated. An organization, to prevent unauthorized access to applications, service or data must enforce granular access control together with ZT principles.
Editor’s note: For more zero-trust resources, download the ISACA white paper, Zero Trust: How to Beat Adversaries at Their Own Game.