Zero Trust (ZT) or Zero Trust Architecture is an approach to digital security that (like it says on the tin) trusts no one. Even though its packaging feels a little dystopian, it’s the leading mindset in security today. The first step to implementing it well, though, is thoroughly understanding the concept. Knowing how the idea developed and the tools you use to create a zero trust environment can help us understand the best way to implement zero trust thinking effectively.
How did we get here?
To understand the idea of zero trust, it helps to understand how people thought about digital security before and how the idea itself developed, and who the people were who pushed these ideas.
In ye olden days, the approach to digital security was a pretty close facsimile to the way we think about physical security. To keep “good” actors in and “bad” actors out, you can build a wall. You can build a door in that wall to let people in if they can verify who they are. But instead of bricks making that wall around your castle, it’s a firewall made of ones and zeros, and instead of a drawbridge or a doorknob, you have a login. Pretty familiar thinking for most of us at this point. Experts in the field call this model “perimeterization”. You build a perimeter, a firewall around what you want to keep safe, and then you defend it.
This approach worked when computers were also bound to physical locations. If all of the computers, servers, and connection machines that a business was using were located inside a physical building, perimeterization was a fairly secure way of keeping information safe.
But this approach begins to break down when the realities of how we compute and connect now rear their ugly heads. We have personal devices that are connected by massive networks. Servers might be nowhere near our physical location. A wall is not a great way to protect a space when the people who want to get in have helicopters. In a report, the Committee on Oversight and Government Reform for the House of Representatives called the perimeter-based security approach “akin to leaving all the doors and windows open in your house and expecting that nobody would walk in and nobody would take any information.” Yikes.
In the early aughts, academics and security consultants started thinking about how businesses might move away from a perimeter-based approach to security. They called it, wait for it, de-perimeterization. Thinking in the space evolved. We can neither trust those outside our walls nor those on the inside (because they might have snuck in). John Kindervag, a consultant for Forrester Research at the time, borrowed the term zero trust from Professor Steven Marsh. The name, in all its Blade Runnery glory, stuck.
A lot of the evolution that we've seen in the digital security space has been driven by changes in the way that we do business. When doing business relied on a physical presence, thinking about information security as a thing that was tied to location (or one that was inspired by ideas of physical security) was an effective approach. But as the ability to do business became more and more distributed those ideas no longer proved effective. As remote work makes decentralization nearly ubiquitous (say that five times fast), using the old approach to protecting ourselves isn't just outdated, it’s dangerous.
Ugggggghhhhh, do I have to?
The number of digital attacks on US-based companies is on the rise, and their focus is on smaller and smaller targets. And it’s not just inconvenient; these attacks can take a huge monetary toll.
As we previously reported, according to research done by the insurance group Hiscox, the number of small and medium-sized businesses reporting cyber incidents has risen from 45% in 2018 to 61% in 2019. The 2021 report from the same group shows that many respondents now report multiple attacks in a year.
This uptick is being propelled by a variety of factors. Working from home has forced a level of reliance on technology that was unprecedented before the pandemic. Information that was previously exchanged in person now must be sent virtually, increasing the amount of information and data subject to attack.
According to a study by Verizon, physical information leakage has decreased dramatically, while social information leakage has seen a corresponding increase. Workers typically do not have the same level of security on their personal devices or networks — such as firewalls or password protection — that might exist in the corporate workspace.
Stress is also a factor: A study from Deloitte shows that 47% of those surveyed had responded to a phishing scam during the pandemic. A majority of these respondents reported that increased stress had been a factor in their mistakes.
While others may be in denial about the possibility of being involved in an attack, according to a 2020 IBM study, eight of 10 workers surveyed believed their companies would be able to handle a cybersecurity attack in the remote workforce, even without receiving any additional security training or instructions.
Whether a breach is caused by human error, insufficient infrastructure, or bad actors, the results are costly. Deloitte notes that the average cost of an attack to a business is around $137,000. Work by Hiscox shows that these costs have been escalating over time, a trend that has been developing before the pandemic even began.
Where do we go from here?
It may seem like one more thing to think about that we don’t have time for, but the task of integrating a new approach to security isn’t all that hard.
A great place to start is with the fundamentals. Recently three major security agencies in this area (the National Institute of Standards and Technology (NIST), National Security Agency (NSA), and National Cyber Security Centre (NCSC)) have published papers on how any size organization can adopt a zero trust stance.
The tools behind zero trust security aren't that unfamiliar; think of Two Factor Authentication (2FA). Providing one source of identification and then another is one of the most common tools used in a zero trust security approach. Recognizing where you’re already using this approach can be a big help in understanding what you might need to change. And when you do find places where change needs to take place, deploying tools that have this thinking baked in is a great place to start.