Evolved IT landscape requires an evolved cybersecurity strategy

As we transitioned from traditional network environments to a modern distributed IT landscape marked by remote work, cloud computing, and the increased use of personal devices for work, traditional security models have become ineffective. This shift necessitates a more robust and adaptable security approach, leading to the adoption of the Zero Trust framework. This new approach is moving away from old perimeter-based security models to one where identity and authentication becomes the central part. This approach necessitates continuous checks on the security status of assets and user privileges to protect an organization’s data and resources.

The History of Zero Trust

Zero Trust originated from the work of Stephen Paul Marsh in 1994. In his doctoral thesis on computer security at the University of Stirling, Marsh introduced the term “Zero Trust,” laying the foundation for what would become a pivotal security framework in the digital age. Fast forward to 2009, after the infamous Operation Aurora, a cyberattack attributed to a Chinese APT (Advanced Persistent Threat), Google began implementing a new security model known as BeyondCorp, which embraced the principles of Zero Trust.

In 2010, John Kindervag, a security analyst at Forrester Research, further developed and popularized the concept by advocating for stricter cybersecurity programs and access controls within organizations. His work helped bring Zero Trust to the forefront of corporate security discussions. Between 2014 and 2018, Google documented its experiences with the Zero Trust model, sharing its learnings through a series of articles on BeyondCorp. This marked a significant milestone in the adoption of the Zero Trust philosophy across industries. By 2018, U.S. cybersecurity experts from NIST and NCCoE solidified its place in the cybersecurity world by publishing NIST SP 800-207, the Zero Trust Architecture, formalizing the framework for broader use.

The Mistake Called ZTNA

Zero Trust Network Access (ZTNA), introduced by Steve Riley at Gartner in 2019, quickly became a hot topic in the cybersecurity world. However, many consider ZTNA a misstep or oversimplification of the broader Zero Trust principles. Vendors eagerly adopted ZTNA, seeing it as a way to remain relevant in a rapidly shifting security landscape. While ZTNA aimed to apply Zero Trust concepts to network access, critics argue it fell short of the original vision, which focused on securing applications and data, regardless of network boundaries.

In hindsight, Riley himself expressed regret for not using the term Zero Trust Application Access (ZTAA) instead of ZTNA. In a 2022 interview with SecurityWeek, he reflected that the term ZTAA would have better captured the true essence of Zero Trust by focusing more on application security rather than network access alone. However, by the time this realization came, ZTNA had already gained traction, and he acknowledged it was likely too late to make a change. This sentiment reflects the broader shift in cybersecurity toward moving beyond the traditional network perimeter and focusing on securing what truly matters—applications and data.

The key pillars of Zero Trust

Within Zero Trust, there are 6 relevant pillars to collectively enhance an organization’s security posture:

  1. Users: ensuring that only authenticated and authorized users can access applications and data. This involves an identity provider, and ideally multi-factor authentication (MFA) and a password manager to stimulate better passwords.
  2. Devices: focusing on securing the devices accessing the network. This includes ensuring, or ideally enforcing, devices are up-to-date with the latest security patches and disks are encrypted.
  3. Network: ensuring that all internet data is encrypted, which is generally effective if your operating system and browser are kept up-to-date. Most modern websites encrypt their traffic, and your browser or operating system should alert you if it encounters insecure connections.
  4. Applications: aiming to secure applications by ensuring they are isolated, continuously updated, and only accessible to authorized users. It’s recommended to review your vendor’s security and privacy efforts (e.g. IS0 27001 or SOC2 certification). As well as deploy good application security practices when developing applications yourself.

When the four basic pillars are strong, organizations can add the following two pillars enabling to scale the Zero Trust strategy:

  1. Automation: automating security tasks and orchestrating complex processes.
  2. Analytics: tools and technologies to monitor and analyze data points across the four basic pillars (users, devices, applications, network), to detect and respond to threats in real time.

We love to use this mental model to visualize the 6 pillars and where they live, it helps to focus efforts of the security team in the right places.

Conclusion

The Zero Trust framework is a comprehensive approach to modern cybersecurity. By implementing its core pillars, organizations can better protect themselves against the dynamic threats of today's digital world.