In the past, ensuring traffic to and from external networks was legitimate and access to internal resources secure. This was sufficient to protect against most types of security threats and attacks, and a properly configured firewall could ensure sufficient security. However, network boundaries are collapsing to create a flatter model where employees expect to access resources both at home and at work and using a variety of devices, while your suppliers, partners, customers and other people who deal with your organization expect you to be able handle web-based transactions, be it posting a project proposal or a CV to working collaboratively in real-time on enterprise projects.
This requires exposing your data more, thus protecting your network is not sufficient. You cannot reasonably base the security of your information and technology assets on believing that all these people will adhere to your security requirements or follow data security best principles such as not writing down passwords or using hard-to-guess ones: in essence, you trust no one when it comes to information security, since information is one of the greatest assets of any business or organization and anyone can inadvertently compromise the security of your organization’s information. This is the fundamental concept of a zero trust network.
The Zero Trust Network model was created by John Kindervag of Forrester Research who designed it such that security is enforced by focusing on securing computing resources and data instead of trying to segment the network. The focus of the Zero Trust Network model is to ensure data is delivered securely; the earlier network security model worked by inspecting packets to and from an external network, which is no longer sufficient since now more people require access to your network in one way or the other.
It is a well-suited model for web 2.0 applications and cloud-based computing since security is a core requirement in the design and operation of any computer network. There are several key requirements of the Zero Trust Network model you need to follow to ensure the security of your data and computing resources.
All resources in a network should be accessed securely. As more of your employees, customers and others bring their own devices to work and use them to access your computing resources, it is imperative to ensure that access to your data is secure. This includes using mechanisms such as authentication (password-based, biometric, security cards etc.) and controlled access as per your requirement needs. All data and resource access should be via encrypted channels and traffic legitimacy should be intelligently determined through use of techniques such as captchas which will annoy legitimate users if used indiscriminately.
Proper access to data must be strictly enforced and should be on a need-to-know basis. Employees are among the worst offenders when it comes to creating of security threats and compromising data security intentionally or without intent through practices such as not clearing apps with IT personnel before installing them, emailing documents and files to their personal email accounts, password misuse… the list is endless. To ensure security of data, people should only access what they need to access, such as not letting managers increase their own bonuses but being able to increase those of their subordinates. With more people accessing your data, it is important to ensure that they not only access it securely but only in the way they are, and see only what they are, meant to.
Migrating your network to the Zero Trust Network based model will result in lesser security incidents and reduce your organization’s network security-related risk, something worth investing in in the age of connectivity.