Historically, when it comes to cybersecurity, organizations long relied on the castle-and-moat approach. Also known as the perimeter security model, it assumes that a network inherently trusts everyone — users and devices —inside the perimeter, thus giving gives them complete access while directing all suspicion to those outside.
However, this location-based model is seriously risky: it focuses only on who goes in and out of the network, not what occurs inside it. The result? Costly data breaches, as hackers or threat actors could penetrate and move freely undetected within the network and wreak havoc once they somehow managed to gain access through the perimeter.
The perimeter-based model originally served organizations whose data resided in on-premise data centers, with only a few users needing remote access.
Today, of course, that has all changed: users today rely on remote access.
As organizations and businesses move their applications to the cloud, they now distribute data and other resources across multiple data centers in various regions. Users around the world can connect to these networks, which is great, but this also introduces new security vulnerabilities and attack surfaces specifically related to cloud infrastructure. Some of these include:
These cloud threats are very dynamic. Unfortunately, traditional security measures, like perimeter security, cannot withstand such a hostile environment. Old ways of securing are no longer effective in protecting cloud-based assets. DevSecOps teams now have to safeguard apps against known vulnerabilities and also against zero-day attacks. They do it with an identity-based security model called zero trust.
The concept of zero trust was first introduced in the 1990s by a group of security professionals called the Jericho Forum, who proposed a new security approach that eliminated the need for a trusted internal network.
Only later, in 2010, was the term "zero trust" coined by a former Forrester Research analyst John Kindervag. Today, it's been adopted by the industry at large.
In 2020, attackers exploited SolarWinds software. This lets attackers access hundreds of the company’s customers. Later that year, and likely in response, the U.S. National Institute of Standards and Technology (NIST) established a definition of Zero Trust approach in Special Publication 800-207, as part of a rejuvenated effort to mitigate malware, ransomware, and other types of global cybersecurity threats, defining:
[Zero trust as a] “term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”
In May of 2021, President Joe Biden signed Executive Order 14028 known as "Improving the Nation's Cybersecurity," to improve supply chain security in the US and prevent similar incidents from occurring.
(See how Splunk supports CISA's zero trust strategy.)
The zero trust model operates on the concept of “never trust, always verify.” It's not a specific architecture, product, or software solution. Instead, it’s a methodology for secure access and a critical part of enterprise security.
Zero trust requires that every user and device that attempts to access an organization’s resource, including employees of the organization, must continuously undergo identity verification. This means that Security and DevSecOps teams should assume that an attacker might already be present inside the network.
Every time a user tries to access a new resource, the system reassesses trust, ensuring that no connection is trusted, even if it has previously accessed the network. Zero trust also places limits on all user's accounts in the network, such that if an attacker compromises an account, they won't be able to move laterally around the entire network.
Any organization today — any size, any stripe — stores data in a variety of locations and apps, both on-premises and in cloud environments. This allows wide access to a variety of folks: employees, vendors, contractors, partners, and other authorized users (and all their personal devices).
For example, Tina is authorized to use her company’s case management system from her personal laptop. Tina makes a request from that device and is granted access. Eventually, she downloads software from an unauthorized source. This could be something as simple as a printer driver or a photo.
In a zero trust environment, security teams continuously monitor the device, flagging any unauthorized downloads.
This newly added component has altered the configuration — and, therefore, the trust score — of the device in question. When the employee attempts to connect to the system, their access might be denied or downgraded depending on their new trust score and associated policy.
In this way, looking at the trust across multiple factors (the user, their device, and the downloaded resource) helps security teams understand dynamic risks in the enterprise. Layering this information together provides more context.
To be successful, a Zero Trust framework entails several core underlying principles, including:
For decades, individually authenticating every object requesting access to a network was basically impossible. Today, multiple technologies specialize in various models of access control — that is, a set of rules to determine who should be granted access to a restricted location and/or critical information. A Zero Trust architecture can stitch these systems together, reducing the complexity of managing multiple controls independently.
(Related reading: role-based vs. attribute-based access control: what's the difference?)
Zero trust has garnered a lot of attention in recent times, but there have also been a lot of misconceptions. Let's debunk some popular myths surrounding it:
Reality: Zero trust doesn't mean no trust — it means intelligent and smart trust. Contrary to popular belief, zero trust doesn't imply a total absence of trust but rather a more enlightened and very conditional trust.
Reality: Zero trust is relevant and beneficial for organizations of all sizes and industries. From small startups to large enterprises, everyone needs to ensure secure access to their resources.
Reality: Zero trust is not necessarily a complete replacement for traditional measures and controls. Instead, regard it as a complementary solution that involves gradually adding security controls to the existing infrastructure.
Reality: Zero trust is a security framework for protecting information and data. It's not a single product but a comprehensive approach that requires technologies, security policies, and procedures.
Reality: Organizations can implement zero trust security in all environments, including on-premises, cloud-based, and hybrid cloud settings.
Zero trust architecture (ZTA) or zero trust network architecture (ZTNA) is a cybersecurity architecture based on the principles of zero trust. The American Council for Technology and Industry Advisory Council (ACT-IAC) outlines the six pillars of a Zero Trust security model, each built upon a foundation of data. These pillars are:
In virtual private networks (VPNs), an "implicit trust" model grants users access to resources once verified, even if they don't need them for a specific task. Because VPNs route all user traffic through a central gateway, latency issues for globally distributed teams are common, regardless of the resource's location.
In contrast, ZTNA continuously validates users' identities for every access request, whether internal or external.
Plus ZTNA enables direct-to-resource access, connecting users directly to the service they need, no matter where it is hosted. This approach improves performance, especially when working with resources across different regions.
While the two technologies differ in approach, they do share some key commonalities:
Implementing a Zero Trust architecture depends on many variables based on your current network setup. In a Zero Trust security model, access to a network is achieved based on a user’s or device’s identity, location, and permissions. A comprehensive guide to getting started is beyond the scope of this post, but below is a high-level overview of how it works.
First, identify and evaluate all your organization’s most critical assets in order of priority, including endpoints, users, applications, servers, and data centers that hackers might target. Properly understanding the posture of protected assets — as well as the systems used to access these resources — helps with risk scoring and security incident prioritization. For example:
Authenticate users and devices using single sign-on (SSO) or multi-factor authentication (MFA) methods such as passwords or biometrics. This adds extra layers of security to protect all sensitive data from malicious actors, even if one authentication method is compromised.
After authenticating users and devices, grant them access only to the specific data and resources they need to complete their tasks based on their assigned permissions and roles. In the cloud, use role-based access control (RBAC) or attribute-based access control (ABAC) to enforce least-privilege access to cloud and cloud-native applications, containers, and microservices.
You can also perform network segmentation: Divide the network into smaller segments or regions that are properly isolated from one another to reduce lateral movement and minimize the surface area of potential attacks.
Monitor user and device activities in real time and analyze them carefully for potential threats. If a threat is detected, log it and alert the appropriate teams.
With any implementation, there are some challenges to be aware of:
Compatibility issues. You might experience compatibility issues because legacy applications likely won't integrate with modern security measures like zero trust, creating security gaps in the system that may require you to implement strategic updates or replacements.
Culture shift. Implementing zero trust in the cloud brings about stricter access controls and requires a shift in the already existing security culture of an organization. This shift can put a strain on the overall work experience.
For example, in an organization, employees accustomed to seamless access to resources may encounter authentication hurdles like multiple verification steps, potentially impacting their productivity.
(Related reading: organizational change management.)
Cloud compliance and governance. Many organizations often operate in regulated industries like healthcare and finance, which have to comply with strict data protection regulations like HIPAA and PCI DSS. Implementing zero trust in the cloud can challenge compliance with these rules, as multiple users may access sensitive data scattered across multiple locations. Organizations should:
Risk of vendor lock-in. Implementing zero trust in the cloud often means choosing what cloud vendor to work with. Vendor lock-in can be a real challenge: businesses may become overly dependent on a particular vendor, which can limit flexibility, become costly over time, or hold you back from emerging features you need. To tackle vendor lock-in, organizations should:
Cost of implementation. Setting up zero trust security in the cloud can be quite resource-intensive. From hiring skilled personnel and training internal staff to acquiring new technology and other cloud costs.
Fortunately, you can prepare overcome these challenges with some smart preparation.
Create a strategic plan that includes an inventory of all sensitive and non-sensitive data and resources in the cloud infrastructure. The plan should:
Gradually introduce zero trust into your security system and avoid overwhelming users in the process. Prioritize critical assets first and continue until you've secured the entire system.
Both IT/DevSecOps and security teams need to work together effectively. As a result, IT teams should provide comprehensive information about cloud design and infrastructure. Meanwhile, security teams must identify potential risks and, subsequently, develop solutions to mitigate them.
The key to a successful Zero Trust network, therefore, is understanding who is making access requests and from which devices. Consequently, this understanding enables organizations to map those requests to access policies specific to each application or asset. Ultimately, it requires CISOs, CTOs, and CIOs to consider and possibly update the security strategy and network architecture.
See an error or have a suggestion? Please let us know by emailing ssg-blogs@splunk.com.
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.