John Kindervag of Forrester (but currently – July 2019 – at Palo Alto Networks) came up with the concept of Zero Trust in 2010. Surprisingly however, it has taken almost a decade for it to become a hot topic. These days just about every security vendor offers us a zero-trust product or a solution set. Promising risk mitigation, business agility, innovation, ease of cloud migration, and every other business buzz word (maybe not A.I.), it is hard not to be sold on vendors’ Go to Market stories on zero trust. But what is this utopian dream, and can you just buy one?
Zero trust came about because traditional perimeter-based security did not address internal threats. Nor did it address outsider threats compromising an inside resource and moving laterally throughout the network. This lack of control and visibility over internal resource and their lateral movement, as well as the blurring lines of a perimeter thanks to all the cloud migrations, are the concerns which zero trust aims to address. Technically speaking, Zero Trust has three fundamental principles;
- Trust nothing – this includes devices, users, applications, things and locations
- Encrypt, authenticate, and authorise everything
- Inspect, log and monitor everything
In a zero trust environment, nothing is trusted. You may be an employee seated in the head office, but you first need to be authenticated, then assigned the least required privileges to perform your job, and all your activity must be logged and monitored. This ensures only authenticated and authorised users or applications are given the required access, and even then, if this required access results in strange or compromising behaviour (such as port scans or a reconnaissance type activity), that this is also logged, monitored, alerted and acted upon.