For all its sophistication, the internet age has brought a digital plague of security breaches. The constant drumbeat of data and identity theft has spawned a new movement and a modern mantra that has even been the subject of a US presidential term: zero trust.
So what is zero trust?
Zero Trust is a cybersecurity strategy to verify every user, device, application, and transaction in the belief that no user or process should be trusted.
This definition comes from the NSTAC report, a 56-page document on zero trust compiled in 2021 by the US National Security Telecommunications Advisory Committee, a group that included dozens of security experts led by a former CEO of AT&T.
In an interview, John Kindervag, the former Forrester Research analyst who coined the term, noted that he defines it this way in his Zero Trust Dictionary: Zero trust is a strategic initiative that helps prevent data breaches by eliminating digital trust in a way that can be deployed using off-the-shelf technologies that will improve over time.
What are the basic principles of Zero Trust?
In his 2010 report that coined the term, Kindervag laid out three basic tenets of zero trust. Since not all network traffic needs to be trusted, he said users should:
- verify and secure all resources,
- strictly limit and enforce access control, and
- inspect and log all network traffic.
This is why zero trust is sometimes known as the motto “Never trust, always verify”.
How do you implement zero trust?
As the definitions suggest, zero trust is not a single technique or product, but a set of principles for modern security policy.
In its seminal 2020 report, the US National Institute for Standards and Technology (NIST) detailed guidelines for implementing zero trust.
Its general approach is described in the table above. It uses a Security Information and Event Management (SIEM) system to collect data and continuous diagnostics and mitigations (CDM) to analyze it and respond to information and events it discovers.
This is an example of a security plan also called Zero Trust Architecture (ZTA) that creates a more secure network called Zero Trust Environment.
But one size doesn’t fit all in Zero Trust. There is no “one-size-fits-all deployment plan for ZTA [because each] the enterprise will have unique use cases and data assets,” the NIST report states.
Five Steps to Zero Trust
The work of rolling out zero trust can be boiled down to five main steps.
It begins by defining a so-called protective surface, which users want to secure. A protected surface can cover systems inside a company’s offices, the cloud, and the edge.
From there, users create a map of the transactions that typically pass through their networks and a zero-trust architecture to protect them. Then they establish security policies for the network.
Finally, they monitor network traffic to ensure that transactions adhere to policies.
The NSTAC report (above) and Kindervag suggest these same steps to create a zero-trust environment.
It is important to note that Zero Trust is a journey, not a destination. Consultants and government agencies recommend that users adopt a Zero Trust Maturity Model to document an organization’s security improvements over time.
The Cybersecurity Infrastructure Security Agency, part of the US Department of Homeland Security, described such a model (see table below) in a 2021 document.
In practice, users in Zero Trust environments request access to each protected resource separately. They typically use multi-factor authentication (MFA), such as providing a password on a computer and then a code sent to a smartphone.
The NIST report lists the ingredients of an algorithm (below) that determines whether or not a user has access to a resource.
“Ideally, a trust algorithm should be contextual, but that’s not always possible,” given a company’s resources, he said.
Some argue that the search for an algorithm to measure reliability is contrary to the philosophy of zero trust. Others note that machine learning has a lot to offer here, capturing the context of many events on a network to help make informed access decisions.
Zero Trust’s Big Bang
In May 2021, President Joe Biden issued an executive order requiring zero trust for government computer systems.
The order gave federal agencies 60 days to adopt zero-trust architectures based on NIST recommendations. He also called for a handbook on handling security breaches, a security committee to review major incidents — even a program to establish cybersecurity warning labels for certain consumer products.
It was a great moment for zero trust that still resonates around the world.
“The likely effect this has had on advancing zero-trust conversations within boardrooms and among information security teams cannot be overstated,” the NSTAC report states.
What is the story of Zero Trust?
Around 2003, ideas that led to zero trust began bubbling up within the US Department of Defense, leading to a 2007 report. Around the same time, an informal group of security experts from the industry called the Jericho Forum coined the term “deperimetrization”.
Kindervag crystallized the concept and gave it a name in its explosive September 2010 report.
The industry’s focus on building a moat around organizations with firewalls and intrusion detection systems was a mistake, he argued. Malicious actors and impenetrable data packets were already inside organizations, threats that demanded a radically new approach.
Security goes beyond firewalls
From his early days in installing firewalls, “I realized that our trust model was a problem,” he said in an interview. “We brought a human concept into the digital world, and it was just silly.”
At Forrester, he was tasked with finding out why cybersecurity wasn’t working. In 2008, he began using the term zero trust in lectures describing his research.
After some initial resistance, users started to embrace the concept.
“Someone once told me zero trust would become all my job. I didn’t believe him, but he was right,” said Kindervag, who in various roles in the industry has helped hundreds of organizations create zero-trust environments.
A growing zero-trust ecosystem
Indeed, Gartner predicts that by 2025, at least 70% of new remote access deployments will use what it calls Zero Trust Network Access (ZTNA), up from less than 10% at the end of 2021. (Gartner, Emerging Technologies: Snapshot of Adoption Growth for Zero Trust Network AccessG00764424, April 2022)
That’s partly because the COVID lockdown has accelerated companies’ plans to bolster the safety of remote workers. And many firewall vendors now include ZTNA features in their products.
Market watchers estimate that at least 50 vendors, from Appgate to Zscaler, now offer security products aligned with zero-trust concepts.
AI automates zero trust
Users in some Zero Trust environments are expressing frustration with repeated requests for multi-factor authentication. It’s a challenge that some experts see as an opportunity for automation with machine learning.
For example, Gartner suggests applying analytics in an approach it calls continuous adaptive trust. CAT (see table below) can use contextual data — such as device identity, network identity, and geolocation — as a kind of digital reality check to help authenticate users.
In fact, networks are full of data that AI can filter in real time to automatically improve security.
“We don’t even collect, maintain, and observe half the network data that we could, but that data contains information that will form an overall picture of a network’s security,” said Bartley Richardson, senior manager of artificial intelligence infrastructure and cybersecurity engineering at NVIDIA.
Human operators cannot track all data generated by a network or set policies for all possible events. But they can apply AI to scour the data for suspicious activity and then react quickly.
“We want to give enterprises the tools to build and automate robust zero-trust environments with defenses that live across their data centers,” said Richardson, who leads development of NVIDIA Morpheus, a framework for open cybersecurity for AI.
NVIDIA provides pre-trained AI models for Morpheus, or users can choose a third-party model or create their own.
“The backend and pipeline engineering work is tough, but we have expertise in this area and can architect it for you,” he said.
These are the kinds of capabilities that experts like Kindervag see as part of the future of zero trust.
“Manual response from security analysts is too difficult and inefficient,” he wrote in a 2014 report. “The maturity of systems is such that a valuable and reliable level of automation is now achievable.”
To learn more about AI and Zero Trust, read this blog or watch the video below.