The term “zero trust” was coined by Stephen Paul Marsh in 1994 in a doctoral thesis focusing on how humans and computers can make decisions despite uncertainty.
Almost 25 years later, American cybersecurity researchers at NIST and NCCoE published a paper that focused on one particular area of computer decision making. It described zero trust architecture as a collection of concepts and ideas designed to minimize uncertainty regarding IT access requests.
Now, in the 2020s, when experts talk of zero trust it’s almost pitched as a necessity for the future where threats will become ever more evolved and sophisticated. It’s also a nod to a fear that the perimeter-based method of old will leave businesses at serious risk.
Zero trust is as much a state of mind as it is an IT procedure; where traditional network security gives those inside the network the assumption of being trustworthy, zero trust takes that away. It assumes everything needs to be checked and approved before access is granted, no matter who is apparently making the request or whether it’s coming from inside or outside the network. In short, “never trust, always verify” should be the approach across the organization, for all data points, with users, regardless of identity, location, or device. Everyone and everything will need to verify its identity.
At an enterprise level, it's a cybersecurity plan that encompasses component relationships, workflow planning, and access policies. Organizations with a zero trust approach will have a network infrastructure – both physical and virtual – that’s managed and supported with company-wide policies for security.
There are a number of ways to implement such an approach, though a full zero trust architecture will include enhanced identity governance and policy-based access controls, micro segmentation, network overlays, and software-defined perimeters.
Why do businesses need zero trust?
Digital transformation is making traditional perimeter-based cybersecurity models ineffective and irrelevant. Data is no longer simply contained within a single environment controlled by the business it belongs to, as was the case in the past. The rapid increase of remote working, BYOD, and IoT over the last ten years has created multiple endpoints for the average business, leaving ample opportunity for malicious attacks.
What’s more, the hacker tool kit has never been more innovative with an abundance of techniques at their disposal. What’s more, the growth and increasing sophistication of generative AI is only going to make the situation worse.
Cyber attacks are steadily increasing year-on-year, according to research from Check Point. With a 30% rise in weekly attacks on corporate networks in Q2 2024, and a 25% rise compared to Q1 of this year, the security firm estimates that there are now an average of 1,636 attacks per organization, per week. Among the many recommendations laid out in the report, Check Point lists ‘zero trust architecture’ – the implementation of “strict identity verification for every person and device attempting to access network resources” – as a key strategy in combating this raised threat level.
The UK’s National Cyber Security Centre (NCSC) recommended that network architects consider a zero trust approach for new IT deployments in 2019. It now recommends the use of a single strong source of user identity, machine authentication, and additional context. This could include policy compliance and device health, authorization policies to access an application, and access control policies within an application.
The benefits of zero trust
As zero trust is a company-wide strategy, IT leaders will need to convince everyone in the business to adopt it, which will require in-depth knowledge of the benefits.
Some of the most common attacks enterprises deal with today involve compromised user accounts or devices being used to access the wider system. In a zero trust model, however, every action a user or device takes is subjected to some form of policy decision. This might not even be seen on the user’s side, but it allows the business to verify every attempt to access data and resources. If there is an attempted cyber attack, this will make it harder for the would-be attacker to make any progress or get what they want.
The recent pandemic has added more complexity, however, specifically with the growth of remote work. To the end user, it’s just a laptop or phone that they use to work from anywhere, but to IT departments it’s another, mobile access point – or potential risk.
What’s more, organizations are moving towards a greater use of web services, which presents challenges for logging and monitoring. Much of this traffic will be encrypted under transport layer security (TLS), making it difficult to inspect.
Some benefits are not necessarily for security; zero trust controls can enable a smoother user experience, such as single sign-on (SSO). With this, users only have to enter credentials once, rather than every time they want to use a different app or service. This in turn is far more accessible, and, by default, more secure than having multiple digital accounts or identities to access services.
There is also the chance for more collaboration between organizations with secure access controls applied to your data. Greater control over data access allows companies to grant access to specific data, safe in the knowledge that only the intended audience can view the documents that have been shared.
It can also help businesses grow; digital transformation is an ongoing process, meaning applications, data and IT services are often changed, upgraded or moved around within the corporate infrastructure. Zero trust helps with central management, as well as automated tools and processes, to migrate the necessary security and micro segmentation policies that are needed. Before zero trust, moving apps and data to and from a private data center to the cloud meant additional administrative steps, such as manually recreating security policies at new locations. Not only is that time consuming, it is also a leading source for errors that lead to security vulnerabilities.
There is also a financial incentive for zero-trust architectures and we should even think of them as an insurance policy against lost or stolen data. The cost of a single data breach was recently said to exceed $4 million. In that regard, implementation and management of a zero trust approach can, and should, be viewed as a solid investment.
Zero trust is the gold standard in IT security and no matter what size a business is, it should be taking this approach to securing its data.
