New to zero trust security? Start here

In this exclusive byline, Neil MacDonald, Distinguished VP Analyst, Gartner, elaborates on zero trust security.

Security and risk management leaders need to move beyond the zero trust hype and implement two key projects to reduce risk.

Historically, security models depended on a “castle and moat” type of architecture, with the enterprise network and data center on the inside, and firewalls guarding the perimeter.

Anything located on the outside was considered untrusted. Anything on the inside was considered trusted.

However, trust based on physical location breaks down when users are mobile and when external partners require access. It creates excessive implicit trust — trust that attackers abuse.

Enter zero trust
The term “zero trust” is widely abused in security product marketing. However, it is useful as a shorthand way of describing an approach where implicit trust is removed from all computing infrastructure. Instead, trust levels are explicitly and continuously calculated and adapted to allow just-in-time, just-enough access to enterprise resources.

Zero trust is a way of thinking, not a specific technology or architecture. It’s really about zero implicit trust, as that’s what we want to get rid of.

A complete zero trust security posture may never be fully achieved, but specific initiatives can be undertaken today.

Gartner recommends that organizations looking to implement zero trust start with two network-related security projects. Why start with the network?

TCP/IP network connectivity was built in a time when trust could be assumed. It was built to connect people and organizations, not to authenticate. Network addresses are weak identifiers at best. Zero trust networking initiatives use identity as the foundation for new perimeters.

Project 1: Zero trust network access (ZTNA)
In the past, when users left the “trusted” enterprise network, VPNs were used to extend the enterprise network to them. If attackers could steal a user’s credentials, they could easily gain access to the enterprise network.

Zero trust network access abstracts and centralizes access mechanisms so that security engineers and staff can be responsible for them. It grants appropriate access based on the identity of the humans and their devices, plus other context such as time and date, geolocation, historical usage patterns and device posture. The result is a more secure and resilient environment, with improved flexibility and better monitoring.

The shift to a largely remote workforce during the COVID-19 pandemic has created intense interest in ZTNA, with media headlines proclaiming, ‘The VPN is dead.’

Although VPN replacement is a common driver for its adoption, ZTNA typically augments, rather than replaces, a VPN. By allowing users access to what they need, and by shifting to cloud-based ZTNA offerings, you can avoid overloading your VPN infrastructure.

Longer term, this zero trust network access security posture can be continue to be used when people return to the office.

Project 2: Identity-based segmentation
Identity-based segmentation, also known as micro or zero trust segmentation, is an effective way to limit the ability of attackers to move laterally in a network once they have gotten in.

Identity-based segmentation reduces excessive implicit trust by allowing organizations to shift individual workloads to a “default deny” rather than an “implicit allow” model. It uses dynamic rules that assess workload and application identity as part of determining whether to allow network communications.

When starting an identity-based segmentation strategy, start with a small collection of most critical applications and servers for initial implementations and expand from there.

Once you have implemented ZTNA and identity-based segmentation, move on to other initiatives to extend a zero trust approach throughout your technology infrastructure.

For example, remove remote admin rights from end-user systems, pilot a remote browser isolation solution, encrypt all data at rest in the public cloud and start scanning containers that your developers are creating for new apps.