Better malware, mobile devices, IoT devices, cloud applications and remote workers are all threats to businesses nowadays. Threats can come from inside and data can be stored outside of the company network. This makes cybersecurity a difficult task for every business. Traditional IT network security is based on the principle that everyone inside the corporate network is trusted by default while it’s hard to obtain access from outside the network. This means that once a hacker gains access to the network, they can basically do anything they want. Traditional IT network security also doesn’t protect your data that is stored in cloud applications. Which means there is a need for a new kind of cybersecurity.
What is the zero trust security model?
The solution to this problem is the zero trust approach. Zero trust security stands for “never trust, always verify”, which means don’t trust devices by default from inside or outside the network. Even if they were previously trusted. Everyone needs to be verified in order to gain access to the resources on the corporate network. Zero trust doesn’t recognize a traditional network edge. Networks can be local, in the cloud, or a combination of local and cloud with resources that can be accessed from anywhere by remote workers. Zero trust security is based on the key principle of least privilege access. This means that every user or device can only access the resources that they actually need and nothing else. Many organizations are eager to adopt a zero trust security policy when they see the cost and other consequences of a cyberattack. Zero trust security is used to stop all potential security breaches.
Zero trust network access (ZTNA)
The zero trust security model is also known as the zero trust architecture, zero trust network architecture, zero trust network access (ZTNA) or perimeterless security. It describes a cybersecurity approach for the design and implementation of IT systems. A zero trust architecture is exactly what you would expect, an architecture based on the principle that nothing can be trusted. It means that no device, user, or application that wants to interact with your architecture can be trusted. This zero trust approach secures infrastructure and data. Forrester Research first introduced the zero trust concept for organizations that want the highest level of cybersecurity for their sensitive data. This concept also addresses modern challenges like remote workers, hybrid cloud environments, and cyber threats that can be detrimental to businesses. The zero trust model was called into existence because traditional IT network security allowed hackers to breach corporate networks. Hackers could get past corporate firewalls into the segments of the network and wreak havoc without much resistance.
A well-tuned zero trust model can lead to a better user experience, simpler network infrastructure, and improved cyber threat defense. Zero trust architecture blocks inappropriate access and lateral movement throughout the network based on the user’s role and location, their device, and the data they have requested. This model is built on the belief that by enforcing perimeters, businesses can ensure that only authorized users, devices, and applications can access an organization’s systems and data. When you implement zero trust well, it limits the risk of unauthorized access, insider threats, and malicious attacks.
The history of zero trust
Perimeter security vs perimeterless security
Perimeter-based security uses firewalls and other technologies to create a perimeter around an organization’s IT environment. This perimeter security is based on the castle-and-moat security model that trusts all users and devices within the perimeter and allows access to all systems within the castle.
Over the past two decades, this perimeter started to disintegrate. With the rise of the commercial internet, mobile communication, cloud computing, IoT, and remote-work policies, the number of employees, business partners, applications, and devices outside of this perimeter made traditional IT perimeter security almost useless.
Hackers are also launching attacks that blend in with this growing volume of traffic. The zero trust approach stops such attacks and limits the damage done by authorizing users, devices, and systems before they gain access to certain resources.
The zero trust security timeline
The transition from perimeter security to perimeterless security required enterprise security teams to rethink their strategies.
The zero trust framework really took off in 2004 because of the ideas presented by the Jericho Forum, an international security consortium. Members of this forum saw potential problems with the perimeter security approach and they developed a new concept of security they called deperimeterization. This concept called for multilevel security controls, including encryption and data-level authentication.
John Kindervag was the Forrester research analyst that popularized the term zero trust when he presented the idea that a company should not extend its trust to anything inside or outside its perimeters.
Google initially launched BeyondCorp in response to the Operation Aurora cyberattacks. Their goal was to enable employees to work remotely without the use of a VPN. Later, Google published an article detailing their initiative which gave the idea of zero trust a significant boost in recognition.
In 2018, researchers continued to advance the zero trust concept. Forrester introduced the zero trust eXtended Ecosystem. This established the seven core pillars for zero trust. The NIST also released the SP 800-207, zero trust architecture. This offered guidelines on the core components of zero trust.
In 2019, Gartner first introduced the term zero trust network access (ZTNA). This describes the products and services that deliver the zero trust concept to the network.
With the COVID-19 pandemic, the expansion of hybrid work and remote work increased the need for zero trust.
The White House as well as many other government entities started to introduce efforts to move toward zero trust. This eventually put government organizations ahead of private sector entities.
The future of zero trust
In just a decade, zero trust moved from a hypothetical concept to a widely deployed approach. Many organizations have at least started implementing a zero trust strategy. But not a lot of organizations have fully implemented it. The amount of organizations moving forward with their zero trust strategies will continue to grow. However, organizations still have a lot of work to do. Zero trust isn’t easy to implement. It’s not a single product that can be bought from one vendor. It also involves layers upon layers of policies and technologies. A lot of cybersecurity companies and governments are informing organizations on the dangers of cyberattacks and the steps of the zero trust process.
What are the main principles of zero trust architecture
Never trust, always verify
The first main principle of zero trust security is “never trust, always verify”. This means that devices shouldn’t be trusted by default even if they are located inside your network and even if they were previously verified.
Multi-factor authentication (MFA)
Multi-factor authentication or MFA is another core value of zero trust security. MFA means that it requires more than one piece of evidence to authenticate a user. This means that just entering a password is not enough to gain access. A common example of MFA is the two-factor authorization used on platforms like Facebook and Google. On top of entering a password, users also have to enter a code sent to another device, like a text on a mobile phone or an e-mail on a computer.
Continuous monitoring and validation
Zero trust assumes that there are attackers both inside and outside of the network. This means that no users or machines should be automatically trusted. Zero trust verifies user identity and enforces privileges which gives organizations the ability to monitor insider threats. Logins and connections time out periodically which forces users and devices to be continously re-verified.
Least privilege is another principle of zero trust security. This means you give users only as much access as they need to minimize each user’s exposure to your hard-to-protect resources. Least privilege access basically means carefully managing user permissions.
Device access control
Zero trust requires strict access controls for devices. It’s important to monitor how many different devices are trying to access their network, ensure that every device is authorized, and assess all devices to make sure they aren’t compromised. This minimizes the attack surface.
Another main principle of zero trust is micro-segmentation. This is the practice of breaking up security perimeters into small zones to maintain separate access for separate parts of the network. A person that has access to one of these zones will not be able to access other zones without separate authorization.
Preventing lateral movement
Lateral movement means the moves an attacker makes within a network after gaining access to that network. This can be difficult to detect even if the attacker’s entry point is discovered because the attacker moves fast and compromises other parts of the network as well.
How to implement zero trust security
Stages of implementing zero trust
Implementing zero trust may sound complicated, but it can be relatively easy with the right technology partner.
Stage 1: Visualize
In this first stage, you should understand all of the resources and their access points so you can visualize all the risks involved. You should gain visibility and context for all traffic across users, devices, locations and applications.
Stage 2: Mitigate
In the second stage, you should detect and stop threats or mitigate the impact of a breach in case a threat can’t immediately be stopped.
Stage 3: Optimize
The third stage is to optimize. You should extend protection to every aspect of the IT infrastructure and all resources regardless of the location while also optimizing the user experience for end-users and everyone involved. This also means you should have the ability to monitor and verify traffic as it crosses between the different functions inside the network.
Browser Isolation is developed with our Isolation technology that is based on the zero trust approach. It’s a way of safe browsing. Browser Isolation uses a technology that provides malware protection by containing browsing activity in an isolated environment. This isolated environment secures all threats so they can’t infiltrate the user’s computer or other devices.
Of course, we don’t want to reveal all our secrets regarding our cybersecurity solutions, but by using Browser Isolation the user surfs in an isolated environment. We often call this a ‘container’: an extra layer that is built between the internet and the computers within your company (the end-users). Hence the term Browser Isolation.
At the end of the browsing session, everything is removed. A virus or cyberattack is contained in the isolated Jimber container and is removed as soon as the session is closed. This way, the internet session no longer poses a threat to your organization. No web content ever reaches the user’s computer. Thus malware is never able to enter your system.
Our Network Isolation ensures secure access to a corporate network after verification (for example via Gmail or 2FA) which only allows access to specific applications and/or devices instead of full access to the network.
Our Jimber Network Isolation is perfect for hybrid work.
Network Isolation can be compared to ZTNA (Zero Trust Network Access). This means you trust nothing and verify everything. It provides better security and micro-segmentation. Network Isolation constantly authenticates every user and device.
Users only have access to applications, data, and devices that are explicitly defined by their perimeters rather than full access to the network.
Network Isolation protects against all kinds of threats. First, Network Isolation regularly checks the health of the devices that connect to applications and the micro-segmentation reduces the places threats can move to and attack. Second, you can protect yourself against insider threats because you can easily find which employees have which privileges. Third, Network Isolation prevents application discovery on the public internet. This allows users to access applications while protecting organizations from data exposure, malware, and other attacks.
Use case: Jimber Network Isolation reduces mistakes and the cost of expensive hardware and maintenance
Hardware and maintenance of corporate networks can be extraordinarily complex and expensive. Many companies find creative ways to get users access to their resources in multiple locations and this can lead to many mistakes. This causes holes in the firewalls and access protocols. Network Isolation authorizes users in order for them to get access to applications and networks. This means that time and management are reduced and simplified.
Use case: Jimber Network Isolation limits user access and reduces third-party risk
Most traditional security solutions permit third-party users to get full network access. This exposes sensitive corporate resources to compromised accounts, unmanaged devices, and insider threats. Which means hackers could move freely and undetected through internal systems. Network Isolation reduces third-party risks because only authorized users can access allowed internal resources.
Want to know more? Get in touch with our team.