Created by John Kindervag in 2010 who was a principal analyst at Forrester Research Inc. "Zero Trust Model" or "Zero Trust Architecture" requires strict identity verification of any device or person sitting inside or outside of the network and trying to access the resources.
Traditional IT networks typically allow all access from inside and restrict it from outside, which could lead to insider threats to roam free. As today's IT networks are becoming more sophisticated with the introduction of Cloud Computing, VPN, IPSec Tunnel, IoT, the risk to the integrity and confidentiality of data is also rising, and having single security control across the network is not possible.
Zero Trust Model simply states "Don't trust anyone either from the internal or external network and always verify". 2017 Annual Cybercrime Report by Cybersecurity Ventures predicts that the cybercrime will cost the world over $6 trillion annually by 2021, up from $3 trillion in 2015. A recent study from IBM predicted that the average cost of a data breach is over $3 million. Companies are shifting their focus on adopting the Zero Trust model to prevent the data breaches.
The problem with traditional IT networks is that organizations often don't consider the threat from inside and let too many services running open on the internal network. Organizations need to redesign their IT network as the isolation of doesn't exist anymore. In order to eliminate the threat implementing the Zero Trust model can be costly in the initial stages but may act as a cost-effective solution in case of a data breach.
Zero Trust Model relies on various technologies and processes to create a security perimeter.
1. It requires organizations to utilize micro-segmentation, creating segments and zones in the network separated by security perimeters. Users require a separate type of access for every segment.
2. The access can be granted to the users on a "need to know" basis.
3. Multi-Factor-Authentication (MFA) to be implemented for accessing the resources to identify the actual person or device. Various technologies such as IAM, encryption, etc can be implemented under the Zero Trust Model to add an extra layer of security.
Photo Credits: Akamai
How to implement the Zero Trust Model?
Implementing the Zero Trust Model requires CIO, CISO, and executives to prioritize what moves to the model and what can wait? Organizations also need to understand that the Zero Trust requires an ongoing effort and certain implementations under the model may get challenging. Organizations may also hire third parties such as Security Spoc™ experts who have experience of implementing the Zero Trust Model across various banks, financial and private organizations.