What Is Zero Trust and Why Is it So Important?

On 7th Nov 2018
Zero Trust Security – Idaptive

Zero Trust.

We’re going to be talking about this a lot. Zero Trust security is a foundational element of Idaptive — a philosophical approach to security that we think is essential for every business, organization or entity that has a presence online.

Simply stated, Zero Trust works on the assumption that you can’t separate the “good guys” from the “bad guys.” Traditional approaches that focused on establishing a strong perimeter to keep the bad guys out no longer work. Resources (data, applications, infrastructure, devices) are increasingly hybrid or outside of this perimeter entirely. With Zero Trust, no actor can be trusted until they’re verified. It’s a holistic, strategic approach to security that ensures that everyone and every device granted access is who and what they say they are.

In today’s world, data is spread across an almost infinite number of services, devices, applications and people. It’s not enough to slap a password onto something or set up a firewall or some other kind of perimeter. During his presentation at this week’s Zero Trust Summit, Forrester analyst Dr. Chase Cunningham repeatedly told the audience that in the age of digital transformation, perimeters don’t exist and old approaches to security don’t stack up against the sophistication of today’s threats.

“People will say, ‘We’re doing things. We’re working on it,’” Dr. Cunningham said. “Well, guess what Target’s strategy was before the breach? Protect, detect, deter, respond. Guess what OMB’s strategy was before the breach? Protect, detect, deter, respond. That’s not a strategy. Those are things that you do. Those are pieces of it.

“If you stand up and say, ‘Our security strategy is to work towards a Zero Trust infrastructure.’ There it is,” he continued. “One sentence. Everyone can get behind that.”

The Three Elements

Zero Trust security is actually pretty simple. It is grounded on three core principles: 1. Verify every user; 2. Validate every device; 3. Intelligently limit access. This is, of course, easier said than done; but for organizations that adopt Zero Trust as a foundational security philosophy, it simply becomes how security happens.

Verify every user

Making sure people are who they say they are may sound obvious, but it often goes wrong when organizations rely on only one verification method like single sign-on. Single sign-on (SSO) has a lot of security advantages: users don’t have to type a password each time they want to use or access something, and it cuts down on the number of passwords users have to manage. But what if that one credential gets stolen, or someone doesn’t lock their computer when they get up from their desk? In that case, SSO leads to a security gap.

To avoid this problem, SSO needs to be balanced with other technology such as multi-factor authentication (MFA). While MFA might conjure images of redirection runarounds or fumbling with physical keys, the technology has actually gotten a lot easier and smarter in the last few years. And when combined with SSO, it creates a tight web of security around an organization’s network… but it is still not tight enough. Ultimately you need to balance security and end-user experience — it may still be too much for end users to be constantly prompted for additional factors of authentication.

That’s where a bit of intelligence and context in the form of behavior-based access comes in. Using machine learning and intelligent technology, organizations can start to learn the normal behavior of their employees — and when they detect a deviation from that baseline, can block an employee’s access until they go through another round of authentication.

Validate every device

Nowadays, nearly everyone has their devices locked down with a password of some sort, and that is unequivocally a great thing. Remember, however, that passwords are only one piece of the puzzle. To ensure real safety, devices must also have adaptive MFA to go along with that password.

When MFA-supported passwords are combined with some level of device management, the right policies are put on the device and locked in place, and the context of the device (where it’s used, what browser it has, etc.) is always understood, then it’s safe to make an access decision.

Intelligently limit access

The last element to Zero Trust is understanding who uses an organization’s resources. Ask yourself: Who are we granting access to? What do they need to accomplish their job and how are we managing that? Make sure that on day one, a user is productive, they have access to the accounts they need, and devices are set up with the clients they need. When they change roles, their access likewise changes to fit their new job, or if they leave, those privileges are automatically revoked.

Most importantly, it is essential that all these capabilities are integrated and work together so they can be applied in real time without adding delays to access decisions for APIs, or for users who are logging onto applications.

The Zero Trust Advantage

So what happens when organizations adopt a Zero Trust strategy? Beyond protecting valuable data by reducing the chance of a breach, there’s also a bottom line benefit. Studies have shown that Zero Trust approaches result in 50 percent fewer breaches and that companies spend 40 percent less on technology because everything in integrated.

But most importantly, a solid security strategy creates an organization that gets things done. According to a recent Forrester study, companies that adopted Zero Trust were twice as confident in their ability to bring new business models and customer experiences to market. Preventing attacks is great, but making products and experiences that customers love is what makes a company great.

That’s Zero Trust.

– Corey Williams