As a new way of thinking about your IT environment, Zero Trust centers around the concept that no user, device or connection is trusted. The Zero Trust framework requires continuous, dynamic authentication and authorization of every connection request. This strengthens security by both preventing external access and limiting lateral movement once an intruder is inside.
Building security defenses based on static, network-based perimeters is no longer effective in today’s world. With Zero Trust, you’re securing assets, users and resources instead of relying on network defenses.
While Zero Trust use cases vary from one organization to the next, here are a few situations that warrant them:
Globally distributed teams (remote workers).
Within an organization, there are multiple satellite offices and remote employees that connect to a central headquarters. And because the teams and employees are remote, many organizations use “cloud” resources and applications to connect teams. Since these resources are outside the traditional network, traditional security tools and processes are not very effective. Some companies force remote workers and locations to reach resources using a VPN (Virtual Private Network) or virtual desktop infrastructure.
However, these options often prove inefficient and burdensome. Zero Trust does not require users to connect to the corporate network before accessing cloud resources. Understanding the identity of the user and device is needed to make sure any access is secure and appropriate.
Multi-cloud and cloud to cloud connections.
Multi-cloud and cloud to cloud connections are where an organization has a cloud service or computing (identity) access another cloud resource to do work. Since this communication will not go through the main network and will stay “in the cloud,” having a secure and governed access policy for the cloud identity is critical to avoid a bad actor taking over the cloud identity and using it to access other cloud resources.
One big challenge is cloud providers have different ways of implementing different functionality. This could also come up with IoT devices accessing cloud resources. However, the Zero Trust approach doesn’t necessarily control the governance of the IoT device, but the identity around access.
Non-employee identities (third parties such as contractors, temp. employees, vendors, etc.).
When bringing non-employees or third parties into a corporate network, you should utilize the zero trust philosophy of “trust no-one outside or inside the network.” If the only security you have is at the network layer, granting third party access creates a giant security risk. However, if “identity is the new firewall,” then making sure any identity (user) that is inside or outside the network only has the access they need and is governed correctly will ensure that access to company resources remain secure.
Final Thoughts: Implementing Zero Trust.
Regardless of which of the Zero Trust use cases apply to your organization, adopting this as a core strategy improves your ability to defend against continuously evolving threats. But keep in mind that Zero Trust is a concept, not a single security product or solution.
It takes a series of steps and processes to achieve end-to-end Zero Trust. However, Zero Trust is not an “all or nothing” concept — you can build off some of the strategies you already have and continue to expand on them.
