The traditional way of securing information at companies is by using network-based security. That’s when employees who are located at the office connect to the company network, which is itself safely tucked behind a corporate firewall that filters away malicious incoming traffic from the internet. The method is still the way most information security teams manage their company’s web security today, but lately, a security method known as zero trust has been growing in popularity.
“Zero trust came around about 12 years ago, around 2010,” said Federico Sciammarella, president and CTO of MxD, an organization that is part of a network of innovation centers for advanced manufacturing in the United States. “Zero trust is saying that, even within your [company] walls, you have to assume that something could potentially go bad.”
Should Your Team Transition to a Zero-Trust Security Model?
- Pro: Zero-trust systems prevent attackers from gaining access to multiple resources at a time.
- Con: It may not be possible to achieve a transition to a fully zero-trust security model.
- Pro: Companies that mostly host resources on the cloud will likely have a smooth transition because their security protocols are more flexible.
- Con: Companies that use in-house servers may have more difficulty transitioning to zero trust.
- Pro: Single sign-on works with zero trust and is simple to use for employees.
- Con: Software developers and other employees may need to move to a different method of authentication when security shifts from the network to individual resources.
This model of security is not meant for securing customer-facing data and interactions, but instead for securing employee data and making sure that employees aren’t being hacked and the resources they’re accessing aren’t compromised.
With zero-trust security, information security teams assume that even resources protected by the company network may be compromised. Each resource has its own individual security and authentication process, regardless of whether they reside on a public or a private network.
This security model is a robust and useful strategy against incurring heavy damage during possible cyberattacks, which in recent years have gained sophistication. But successfully implementing zero trust on existing systems is not always easy.
Still, could zero trust make sense for your team? Here’s what to consider first.
Use Zero Trust If Valuable Resources Are Only Protected by the Network
It used to be that employees only had to sign onto their company’s network to feel confident that their work was protected from security breaches. That works most of the time because company networks were protected by the filtering rules of firewalls that stood between the internal network and the rest of the internet. Even when employees worked remotely, they could simply connect to a corporate VPN and get the same level of protection.
But inside the company’s network, past its firewall, were the company’s private resources. Attackers ultimately want to penetrate into companies for access to resources like databases and access control systems.
“And so while you might have a hardened outside around your network, once you went in through a VPN, everything inside was this soft, chewy center,” said Reed Loden, vice president of security at zero-trust cloud infrastructure company Teleport. “It basically gave you free rein to access all this stuff.”
“The whole concept of zero trust is that there’s no implicit trust.”
The problem with securing company resources using a network is the potential for hackers to gain access to large numbers of important resources across a company’s infrastructure if they are somehow able to make it past the outer network defenses. The external network security would, in effect, create a false sense of security among employees, who may not take any additional precautions to secure their data.
If valuable company resources are only protected by a company network, you may want to consider moving to a zero-trust system. In order to implement a zero-trust system, information security teams move security protocols away from the company network and on to specific resources, like individual databases. That means employees must log into each resource separately to use them and access rights are granted only to those employees determined to need them on a resource-by-resource basis.
“The whole concept of zero trust is that there’s no implicit trust,” Loden said.
This way, even if attackers are able to get past the outer layer of network protection, they still won’t be able to gain free rein access to all internal information. Each resource is isolated, so the successful breach of one won’t affect the security of other resources. In a zero-trust system, security protocols like firewalls and VPNs become less important, although they can still be used in conjunction with zero-trust security.
Single Sign-On Is One of the Authentication Methods Compatible With Zero-Trust Security
Changing to a zero-trust security model can be an adjustment for software developers and other employees who need regular access to company resources — like when making changes to a database, for example. Luckily, zero-trust security can be used alongside single sign-on, which lets users sign into multiple resources using the same set of credentials, and is just as easy to manage as signing on to a company network for employees, Loden said.
“Zero trust’s total concept is that it’s not based on where you are, it’s based on who you are.”
Single sign-on providers allow software developers to authenticate to a single service that manages authentication across different resources, making it possible for resources to have their own individual protection while not forcing employees to keep track of different usernames and passwords for each one.
Single sign-on is easy for employees to use, but information security teams can also set up other authentication methods. For an additional level of security, resources can check whether employees are using known physical devices before granting them access. That’s a different type of authentication process than signing on to the company network, which only verifies a user’s location.
“Zero trust’s total concept is that it’s not based on where you are, it’s based on who you are,” Loden said.
By verifying the user’s login credentials along with their device’s identity, security teams are able to have more confidence that the user accessing a resource truly is the same individual with the credential and they are cleared to have access to the resource.
Cloud-Based Companies Will Have An Easier Time Switching to Zero Trust
Although zero-trust security systems are straightforward for employees to use, they are not the easiest methods of security to implement, especially when a company’s system already has an established security protocol in place, Sciammarella said.
“If you’re starting from scratch, that’s great, because you’ve built zero trust in from the beginning and it makes that process easier,” he said. “If I’m already starting with something, [zero-trust security] may not be achievable in its truest form.”
That’s because some third-party libraries and tools companies use may not be configured for zero trust because they don’t allow engineers to configure authentication settings or use single sign-on. If those tools are proprietary, it may also not be possible to check if they are, making it impossible to say whether a company has a fully zero-trust system.
The architecture of a company’s systems also affects how easy it is to switch to a zero-trust security framework. Teams that host most of their applications and resources on the cloud may have an easier time transitioning than companies that manage their own in-house servers because they are more easily configurable, Loden said.
“It’s more about the time to transition things over,” he said. “If you have a lot of these systems that were built using the [idea] that network security is the way to access them, it’s just going to take a lot of time and resources to move away from that.”
For companies that do have in-house servers, the options for retrofitting those servers so that they will work within a zero-trust system involves adding reverse proxies to intercept the authentication process for those servers. That method doesn’t provide complete coverage because there is still a gap between the proxy devices and the servers, but it gives teams a zero-trust style of security that still isolates resources with their own individual authentication processes.
You Don’t Need Pure Zero-Trust Systems to Improve Security
There are also side benefits to transitioning to a zero-trust system. Companies often have better logging processes after transitioning to zero trust, according to Loden, which allows security teams to diagnose production problems after they are over.
“You get better auditing and logging as well because you know exactly what’s going on — the application knows who exactly is accessing it because it’s done that authorization and authentication bit,” Loden said.
For teams that decide transitioning to zero trust isn’t worth the time and effort, though, adding separate logging processes is a way to gain some of the same benefits.
Being able to transition to zero-trust security also depends on whether a company’s security team is able to take an accurate inventory of the company’s current security protocols. It’s an important step toward figuring out which parts of the system can be converted to zero trust and how easy it would be to do. An added benefit is that security audits will usually uncover vulnerabilities that companies will want to catch anyway.
“At the end of the day, you want to know where your vulnerabilities are,” Sciammarella said. “So long as you know that, that’s a step forward. Then you can, with your team, decide, ‘OK, do we truly have the resources and time to make it zero trust?’”
Sometimes security teams won’t be able to determine if certain third-party tools are implementing zero trust or realize that the company infrastructure isn’t capable of transitioning to a fully zero- trust system. But rather than getting hung up on the terminology, Sciammarella said it’s more important to isolate the most important resources and reap the benefits from knowing more about the company’s security vulnerabilities.