Everything you need to know about zero-trust architecture 

As more employees get used to hybrid working environments following the COVID-19 pandemic, enterprises have turned to zero-trust architecture to keep unauthorized users out. In fact, research shows that 80% of organizations have plans to embrace a zero-trust security strategy in 2022. 

However, the term zero trust has been used so much, by product vendors to describe security solutions, that it’s become a bit of a buzzword, with an ambiguous definition. 

“Zero trust isn’t simply a product or service — it’s a mindset that, in its simplest form, is not about trusting any devices — or users — by default, even if they’re inside the corporate network,” said Sonya Duffin, analyst at Veritas Technologies. 

Duffin explained that much of the confusion around the definition comes as a result of vendors “productizing the term”, which makes “companies think their data is safe because they have implemented a “zero trust” product, when, in fact, they are still extremely vulnerable.” 

Pinning down zero-trust as a concept 

The first use of the term zero-trust can be traced all the way back to 1994 by Stephen Paul Marsh as part of a doctoral thesis, but only really started to pick up steam in 2010, when Forrester Research analyst John Kindervag challenged the concept of automatic trust within the perimeter network. 

Instead, Kindervag argued that enterprises shouldn’t automatically trust connections made by devices in the network, but should proactively verify all requests made from devices and users before granting them access to protected resources. 

The rationale behind this was to prevent malicious threat actors within the network from abusing automatic trust to gain access to sensitive information with additional verification steps. 

It’s worth noting that this concept evolved further in 2014 when Google released its own implementation of the zero-trust security model called BeyondCorp. It designed the BeyondCorp initiative to enable employees to work from untrusted networks without using a VPN, by using user and device-based authentication to verify access. 

Today, the global zero trust security market remains in a state of continued growth, with researchers anticipating that the market will increase from a valuation of $19.6 billion in 2020 to reach a valuation of $51.6 billion by 2026.

Why bother with zero-trust architecture? 

One of the main reasons that organizations should implement zero-trust architecture is to improve visibility over on-premise and hybrid cloud environments. 

Mature zero-trust organizations report they are nearly four times more likely to have comprehensive visibility of traffic across their environment, and five times more likely to have comprehensive visibility into traffic across all types of application architectures.

This visibility is extremely valuable because it provides organizations with the transparency needed to identify and contain security incidents in the shortest time possible 

The result is less prolonged downtime due to operational damage and fewer overall compliance liabilities. 

Zero-trust today: the ‘assume breach’ mindset

Over the past few years, the concept of zero-trust architecture has also started to evolve as enterprises have shifted to an “assume breach” mindset, essentially expecting that a skilled criminal will find an entry point to the environment even with authentication measures in place. 

Under a traditional zero trust model, enterprises assume that every user or device is malicious until proven otherwise through an authentication process. Zero trust segmentation goes a step further by isolating workloads and devices so that if an individual successfully sidesteps this process, the impact of the breach is limited. 

“Zero Trust Segmentation (ZTS) is a modern security approach that stops the spread of breaches, ransomware and other attacks by isolating workloads and devices across the entire hybrid attack surface— from clouds to data centers to endpoints,” said Andrew Rubin, CEO and cofounder of Illumio. 

This means that “organizations can easily understand what workloads and devices are communicating with each other and create policies which restrict communication to only that which is necessary and wanted,” 

Rubin notes that these policies can then be automatically enforced to isolate the environment if there’s a breach. 

Implementing zero-trust segmentation 

Zero-trust segmentation builds on the concept of traditional network segmentation by creating micro perimeters within a network to isolate critical data assets. 

“With segmentation, workloads and endpoints that are explicitly allowed to communicate are grouped together in either a network segment or a logical grouping enforced by network or security controls,” said David Holmes, an analyst at Forrester. 

“At a high-level, zero-trust segmentation isolates critical resources so that if a network is compromised, the attacker can’t gain access,” Holmes said. “For example, if an attacker manages to gain initial access to an organization’s network and deploys ransomware, zero-trust segmentation can stop the attack from spreading internally, reducing the amount of downtime and data loss while lowering the attacker’s leverage to collect a ransom.”

Holmes explains that enterprises can start implementing segmentation with policies saying that the development network should never be able to access the production segment directly, or that application A can communicate with database X, but not Y. 

Segmentation policies will help ensure that if a host gets infected or compromised, the incident will remain contained within a small segment of the network. 

This is a key reason why organizations that have adopted zero trust segmentation as part of their zero-trust strategy save an average of $20.1 million in application downtime and deflect five cyber disasters per year. 

How to implement zero-trust architecture

For organizations looking to implement a true zero-trust architecture, there are many frameworks to use, from Forrester’s ZTX ecosystem framework to NIST, and Google’s BeyondCorp. 

Regardless of what zero-trust implementation an enterprise deploys, there are two main options for implementation; manually or via automated solutions. Holmes recommends two sets of automated solutions for enterprises to implement zero-trust. 

The first group of automated solutions rely on the underlying infrastructure, such as homogenous deployment of a single vendor’s network switches, like Cisco and Aruba. 

The second group relies on host software installed to each computer in the segmentation project, these solutions abstract segmentation away from network topology with vendors including Illumio and Guardicore. 

Though, Holmes notes that going beyond zero-trust to implement it fully can be very difficult. For this reason, he urges enterprises to opt for an automated solution and to plan the zero-trust deployment meticulously, to the point of overplanning to avoid any unforeseen disruption. 

Above all, the success or failure of zero-trust implementation depends on whether secure access is user-friendly for employees, or an obstacle to their productivity.