This week we’ll be publishing under a new format where we try to organize some notes about a specific Cybersecurity topic. See it as a pocket-sized Cybersecurity glossary with real examples and data.

The first issue under this format is about Zero Trust.

❔ What it Zero Trust and why it matters

The Zero Trust security model (also zero trust network architecture, zero trust network access, ZTA, ZTNA) describes an approach to the design of IT systems around the concept of "never trust, always verify”.

This means that users and devices should not be trusted by default, even if they are connected to a permissioned network e.g. a VPN.

The reasoning for zero trust is that the traditional approach is not relevant in the complex environment of a corporate network where the number of users, devices and systems are constantly changing.

Core concepts

• Never trust, always verify

• Least privilege - only grant users and apps the minimum access needed

• Assume breach - plan for the worst case scenario.

• Micro segmentation to contain incidents

🔍 Problem

• Previous model: perimeter security is insufficient. You can’t stop malicious actors at the gate (e.g. VPN)

• Concept of castle vs airport

  • Castle: check everyone at entry and leave them snif around

  • Airport: continously check the users - at the entry, in security, at the gate and before entering the plane

• Remote working took more devices out of the offices

• Companies shouldn’t trust all devices in the network

• New Hybrid cloud solutions where that contribute to a complex definition of perimeter

In a world where attackers are more and more trying to disguise themselves as someone trustworthy, a computer security model based on the human definition of trust is flawed.

✨Solution

• Authenticate

• Authorize

• Continuously validate

💪 Strengths

• Effective access control. Zero trust architectures allow identity verification, least privilege controls, microsegmentation, and other preventative techniques.

• Perimeterless strategy. As the number of endpoints in a network grows, establishing, monitoring, and maintaining secure perimeters becomes more difficult. Work from home and remote workforce are part of the problem.

• Improve insight. effective zero-trust models increase visibility into network traffic.

• Minimize risk and damage. By restricting user access and segmenting the network to reduce the attack surface, a zero trust model reduces time-to-breach detection and helps the organization minimize damage.

• Enhance user experience. Eliminate the need for users to re-authenticate throughout the day, based on access policies and risk assessments, and remember complex passwords with mechanisms like single sign-on (SSO) and strong MFA.

😡 Criticisms

• Zero Trust has a negative connotation because it implies that everything happening on the network is suspect until proven otherwise

• It's framing an ongoing process as an end state. You'll see the same disappointment that people saw when they decided "we're going to do DevOps".

• Because it’s harder and harder to define a network perimeter, a VPN is at least one layer of defense and should not be discarded

• Current IT networks are old and it’s too hard to update to a new, user / device based authentication. It will take years

• You have to eventually trust something. Perimeterless network security would be a better term

Related resources:

• https://www.techrepublic.com/article/zero-trust-the-good-the-bad-and-the-ugly/

• https://code.mendhak.com/zero-trust-poor-choice-of-words/

⛹️‍♀️Players

Zero trust architecture implies multiple vendors at different levels on the network. Here’s a few notable ones:

• Crowdstrike

• Microsoft

• CyberArk Privilege access management

• ZScaler

• Okta

🔮 Predictions

• Gartner predicts that "60 percent of organizations will embrace Zero Trust as a starting point for security by 2025” - Gartner

• two-thirds of surveyed cybersecurity professionals would like to continuously authenticate users and devices and force them to earn trust through verification - Darkreading

🔗 Other resources

• https://www.fortinet.com/resources/cyberglossary/defense-in-depth

• https://www.yubico.com/resources/glossary/zero-trust/

• https://www.crowdstrike.com/cybersecurity-101/zero-trust-security/