Years after it first got mentioned in 2010, the concept of Zero Trust is regaining momentum. Backed by analysts, vendors, and Cloud Security Alliance; Zero Trust is the latest buzzword in the security industry.
Zero Trust framework got popular in the wake of data breaches and modern cyber-attacks. The traditional security measures focused on creating a security perimeter for insiders, and everything outside the perimeter was untrusted. This model believed that insiders should be trusted and gave them full access to resources. Unfortunately, this model couldn’t cope up with the changing threat landscape with malicious insiders and outside attackers trying to move laterally to target important resources.
Secondly, an upsurge in the number of IoT devices, increased mobility, and vast adoption of cloud by organizations is constantly pushing the network boundary closer to the identity. So rather than a network-centric perimeter, there is a need to have an identity-based perimeter, with users and devices being the center of focus.
To address these challenges, Zero Trust treats all access request with no trust and gives access permission on a strict need-to-know basis. Zero Trust is a concept in network security based on strict identity verification for users and devices. It requires that every access request by users or devices is fully authorized, authenticated, and encrypted before granting access. True to its nature “Trust nothing, verify everything”; Zero Trust security framework believes that nothing should be trusted and even requests originating from within the security perimeter should be verified. There are three models/ architectures through which Zero Trust security can be implemented in organizations –
- Software-Defined Perimeter
- Network Micro-Segmentation
- Identity Aware Proxy
(This is Part 1 of the blog, where the concept of Zero Trust security is explained, Part 2 will discuss the various models to implement Zero Trust security)