Zero trust: ten years later. Is it time to think bigger?
As the concept of zero trust turns 10 years old, many of us in cybersecurity are asking two key questions:
- Why is zero trust popping up so much?
- Is zero trust something we believe we can implement?
Chase Cunningham, Principal Analyst at Forrester, explained in a recent blog (The Tao of Zero Trust) that zero trust has become a hit again because it helps explain the current landscape in two ways:
- First, it reflects the fact that enthusiasm (and related spending) to create a perfectly safe environment has dried up. Companies now realize that a perfectly safe environment is simply not possible—ever.
- Second, C-level execs have grown weary of acronym soup and technology-focused discussions. They want security that is more straightforward. “Zero trust is simple in name, comprehensive in its approach, and realistic in the acceptance of the inherent failures that plague enterprises from the second they start sending electrons,” Cunningham writes.
We would add a third and vital point: zero trust is picking up steam again because the technology required to decouple application access from network access and actually implement a zero trust model is now available. When zero trust was born, secure application access required dedicated networks, firewalls, and inbound gateway appliances that operated on a “deny, deny, deny” mentality; even so, they were still vulnerable because they were (and continue to be) overly trusting.
Cloud technologies were not yet widely adopted, and the mobile workforce was only a fraction of what it is today. There wasn’t much hope of doing more than talk about zero trust.
Zero trust from theory to practice
Today, zero trust is no longer just a theory. The model describes the reality of the current cybersecurity landscape, which includes cloud hosted-technologies that were born in the cloud era (not retrofitted to fit within it), such as zero trust network access (ZTNA) technologies, also known as software-defined perimeters (SDPs), and identity providers (IDPs).
Yet, in many cases, the zero trust model is often misrepresented by vendors peddling network security hardware appliances that place users on the network, increasing the attack surface and exposing corporate networks and applications to ransomware and DDoS attacks.
At the same time, many companies struggle with saying goodbye to the firewalls in their data center and other decades-old technologies, and saying hello to a cloud-hosted security approach instead, even though this is what’s required to make zero trust possible. But what to do about it? Some suggest that most companies should just learn to change cybersecurity light bulbs—that is, do simple things, such as patching, implementing multifactor authentication, and properly configuring their firewalls before they build a zero trust nuclear reactor. We believe in thinking differently altogether, thinking bigger.
Gartner’s Continuous Adaptive Risk Trust Assessment (CARTA) framework builds on the foundation of zero trust. It allows teams to embrace a new mode of thinking in which zero trust is a part of a larger framework geared toward providing access to private apps based on a user’s identity and the specific app they are attempting to access.
At Zscaler, we agree with Gartner’s point: It’s not that we are now in a perimeter-less world; instead, the number of perimeters has increased exponentially. The new perimeters aren’t around the data center, but around the user, their devices, and individual applications. This is why I like the CARTA concept of adaptive, lean, and just-in-time security: the idea of giving as little access as possible, only for the necessary duration of time, and then monitoring this access tightly to assess additional risk and anomalous activity.
The reality is that as enterprises move to cloud, they can no longer control the network. So “network security” becomes impossible. Security must be user- and app-defined, not IP- and port-defined. It’s the only way to provide access based on context and sufficiently monitor that access and activity. Companies must refine their thinking about zero trust and realize that it’s cloud, not appliances, that deliver it.
How Zscaler helps bring zero trust to life
Gartner CARTA is a framework we aim to help our customers adopt. Here are some of our suggestions for putting zero trust into practice.
Companies should move away from thinking about security based on network perimeters and instead adopt architectures based on multifactor authentication and microsegmentation.
- The big idea of zero trust was that companies should operate as if they never trust anyone. That sounds great, but in reality, trust has to be established at some point or no user could ever actually do their work.
- Trust shouldn’t be dependent on a perimeter in an increasingly cloud-based world. A perimeter should be formed wherever and whenever the user connects, as this is technology fit for global scalability.
We designed our technology so that it decouples application access from network access altogether. Connecting users directly to the application they need is safer than placing them onto the corporate network. This alone can greatly reduce a company’s attack surface.
A robust, real-world implementation of zero trust enables:
- Protection against sophisticated ransomware, such as WannaCry, Bad Rabbit, and NotPetya
- A seamless and secure experience across all users, apps, and devices without the need to place users on the network
- Inside-out connections that enable customers to cloak private apps from internet-based attacks
- Microsegmented access to specific applications for authorized users
- Visibility into user activity to monitor for anomalous activity
- Elimination of legacy VPN inbound gateways, reducing cost and management with respect to external load balancers, DDoS prevention, firewalls, and VPN appliances
Zscaler Private Access (ZPA) serves as a trusted broker, creating microtunnels from an authorized user’s device directly to the specific application they are accessing. This broker stitches together the connection between user and application in the Zscaler cloud, which is how it provides true application access without network access.
This approach also helps standardize security across hybrid and multi-cloud environments with no change to the existing infrastructure. As ZPA is entirely software- and cloud-based, it can actually accelerate a company’s adoption of cloud services.
Security must always work to support the business, not prevent it from succeeding, remaining competitive, or being productive. People use personal devices at work, the airport, hotels, home, and then back at work the next day. Those devices are used to access applications inside environments managed by us as well as those hosted in the cloud. Because we no longer control all the networks, we need security that is omnipresent where users are, and on whatever device is most convenient. This is what Gartner CARTA strives to accomplish.
The Gartner CARTA model is the most compelling in terms of meeting the needs of today’s BYOD enterprise landscape. Instead of a walled-off perimeter around the data center surrounded by a stack of appliances, the CARTA model asks companies to erect a software-defined perimeter, which treats everyone like a zero trust user who needs to be validated and understood before even being able to see a private application. In this model, users are allowed access based on context—there is no such thing as universal access at all times. With contextual access, users are given access based on whether, at the time, they are inside or outside the perimeter, and what they’re authorized to access. Finally, with CARTA, monitoring looks not only at events that occurred in the past, but also what’s happening in real time.
We thus operate from a set of fundamental tenets that includes:
- Application access without network access
- Inside-out connections to ensure applications are not exposed to the internet and that unauthorized users cannot see private apps
- App segmentation, without the need for network segmentation, to reduce lateral movement
- Encrypted tunnels over the internet become the new corporate network
What we’ve learned
In our experience, companies that strive only to achieve zero trust will soon discover two realities. The first is that network security appliances are inherently overly trusting, as they always require putting employees (and even partners) on the network. This over-privileged access is the opposite of what true zero trust promises. The second is that zero trust security is not the end goal. It’s only the beginning. The importance of context and of ongoing monitoring to assess risk are two additional pillars that are often overlooked. Together, zero trust, contextual access, and ongoing monitoring are the three pillars that make up the Gartner CARTA framework.
This realization has already led to success in multiple enterprise security use cases:
- Using ZTNA/SDP technologies as an alternative to remote access VPNs
- Securing third-party access with this new model
- Simplifying access to private apps across a multi-cloud environment
- Accelerating mergers and acquisitions
So, thanks, zero trust. You opened our minds to CARTA!
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chris Hines is the head of product marketing for Zscaler Private Access and Z App.