For all its sophistication, the Internet age has brought on a digital plague of security breaches. The steady drumbeat of data and identity thefts spawned a new movement and a modern mantra that's even been the subject of a U.S. presidential mandate - zero trust.So, What Is Zero Trust? Zero trust is a cybersecurity strategy for verifying every user, device, application and transaction in the belief that no user or process should be trusted.
That definition comes from the NSTAC report, a 56-page document on zero trust compiled in 2021 by the U.S. National Security Telecommunications Advisory Committee, a group that included dozens of security experts led by a former AT&T CEO.
In an interview, John Kindervag, the former Forrester Research analyst who created the term, noted that he defines it this way in his Zero Trust Dictionary: Zero trust is a strategic initiative that helps prevent data breaches by eliminating digital trust in a way that can be deployed using off-the-shelf technologies that will improve over time.
What Are the Basic Tenets of Zero Trust? In his 2010 report that coined the term, Kindervag laid out three basic tenets of zero trust. Because all network traffic should be untrusted, he said users must:
verify and secure all resources,
limit and strictly enforce access control, and
inspect and log all network traffic.
That's why zero trust is sometimes known by the motto, Never Trust, Always Verify.
How Do You Implement Zero Trust? As the definitions suggest, zero trust is not a single technique or product, but a set of principles for a modern security policy.
In its seminal 2020 report, the U.S. National Institute for Standards and Technology (NIST) detailed guidelines for implementing zero trust.
Its general approach is described in the chart above. It uses a security information and event management (SIEM) system to collect data and continuous diagnostics and mitigation (CDM) to analyze it and respond to insights and events it uncovers.
It's an example of a security plan also called a zero trust architecture (ZTA) that creates a more secure network called a zero trust environment.
But one size doesn't fit all in zero trust. There's no single deployment plan for ZTA [because each] enterprise will have unique use cases and data assets, the NIST report said.
Five Steps to Zero Trust The job of deploying zero trust can be boiled down to five main steps.
It starts by defining a so-called protect surface, what users want to secure. A protect surface can span systems inside a company's offices, the cloud and the edge.
From there, users create a map of the transactions that typically flow across their networks and a zero trust architecture to protect them. Then they establish security policies for the network.
Finally, they monitor network traffic to make sure transactions stay within the policies.
Both the NSTAC report (above) and Kindervag suggest these same steps to create a zero trust environment.
It's important to note that zero trust is a journey not a destination. Consultants and government agencies recommend users adopt a zero trust maturity model to document an organization's security improvements over time.
The Cybersecurity Infrastructure Security Agency, part of the U.S. Department of Homeland Security, described one such model (see chart below) in a 2021 document.
In practice, users in zero trust environments request access to each protected resource separately. They typically use multi-factor authentication (MFA) such as providing a password on a computer, then a code sent to a smartphone.
The NIST report lists ingredients for an algorithm (below) that determines whether or not a user gets access to a resource.
Ideally, a trust algorithm should be contextual, but this may not always be possible, given a company's resources, it said.
Some argue the quest for an algorithm to measure trustworthiness is counter to the philosophy of zero trust. Others note that machine learning has much to offer here, capturing context across many events on a network to help make sound decisions on access.
The Big Bang of Zero Trust In May 2021, President Joe Biden released an executive order mandating zero trust for the government's computing systems.
The order gave federal agencies 60 days to adopt zero trust architectures based on the NIST recommendations. It also called for a playbook on dealing with security breaches, a safety board to review major incidents - even a program to establish cybersecurity warning labels for some consumer products.
It was a big bang moment for zero trust that's still echoing around the globe.
The likely effect this had on advancing zero trust conversations within boardrooms and among information security teams cannot be overstated, the NSTAC report said.
What's the History of Zero Trust? Around 2003, ideas that led to zero trust started bubbling up inside the U.S. Department of Defense, leading to a 2007 report. About the same time, an informal group of industry security experts called the Jericho Forum coined the term de-perimeterisation.
Kindervag crystalized the concept and gave it a name in his bombshell September 2010 report.
The industry's focus on building a moat around organizations with firewalls and intrusion detection systems was wrongheaded, he argued. Bad actors and inscrutable data packets were already inside organizations, threats that demanded a radically new approach.
Security Goes Beyond Firewalls From his early days installing firewalls, I realized our trust model was a problem, he said in an interview. We took a human concept into the digital world, and it was just silly.
At Forrester, he was tasked with finding out why cybersecurity wasn't working. In 2008, he started using the term zero trust in talks describing his research.
After
