History of the zero-trust concept.
Τhe concepts supporting zero trust are not new. First approach for the perimeter to an organisation’s IT systems was highlighted by the Jericho Forum in 2003. The definition zero trust has been attributed to John Kindervag, an industry analyst at Forrester, whose reporting and analysis helped us to have a clear image regarding to this term. He stated that the most essential case is when:
“In the Zero Trust, all network traffic is unreliable. Thus, security professionals must verify and secure all resources, restrict and strictly enforce access control, and inspect and record all network traffic. ” ‘John Kindervag’
Many years later appearing “clouds” in the field of Information Technology and the first models about the network architecture and security network architecture. New terms appeared such as Zero Trust Architecture, Zero Trust Network, Zero Trust Network Architecture, Zero Trust Security Model. All these terms refer to the network and have the same purpose. Therefore, zero trust aims to solve the inherent problems in placing our trust in the network. Instead, it is possible to secure network communication and access it effectively so that the physical security of the transmission layer can reasonably be ignored.
Nowadays it is true, that network surveillance is ubiquitous and it is difficult to know who we can to trust. Fortunately, we have quite good encryption these days and with the right automation systems, this vision is really possible.
The identity can be encrypted, which means that it no longer matters which IP address any given connection comes from.
With automation removing technical barriers, VPN is virtually obsolete. “Private” networks no longer mean anything special: the hosts there are just as tough as those on the Internet. Thought critical of NAT and private address space, perhaps zero trust makes it more obvious that security arguments for it are invalid.
A user identity is the most critical the architecture of a zero-trust model. Authentication is based on a centrally managed system that authenticates all resources. It essentially includes an ongoing authentication, especially on the network, and automatically notifies any breach of access to their system resources or even behaviour change.
Identity and Zero Trust Models
The purpose of an identity and zero trust model is that trusted identities get access to the applications, systems, networks, and data that they are entitled to, based on their role, to perform their jobs and that trust is verified at every step to ensure the employee is who they say they are.
One of the most famous examples is the traditional Zero Trust architecture model that Google leveraged for their BeyondCorp initiative.
1. User and certificate-based authentication for trusted systems and devices leveraging multifactor authentication and single sign on.
2. An access proxy and access control engine to take the users and their roles, and proxy their access to specific applications, networks, and other resources; the policies that control the access are dynamically adjustable so business operations do not slow down while waiting on IT to adjust the access policies accordingly.
3. A trust engine to infer trust and subsequently allow or deny access based on attributes at each identity type (user, systems, location, etc.).
4. Monitoring, detection, and response across the entire architecture; to include behaviour-based monitoring for users that can help verify the user is who they say they are based on their behaviours (another attribute).
5. Security protection at the endpoint in addition to certificate-based authentication.
Here’s a diagram of their model to help us to understand the zero-trust model:
The Future for Identity and Zero Trust
The future is changing due to the global pandemic. A user’s physical presence in a corporate office building has been reduced or in many cases work from home has been established. Therefore, we understand that organizations can no longer rely on historical parameters, but can control and empower users regardless of their physical location or network location.
So, what if we have a malware intrusion or an “unusual” behaviour?
A good approach is to know when re-certification became necessary due to a malicious or simply unusual event. This includes combining identity technology with application protection technology and APIs.
There are many companies offering zero trust platforms that include identity technology with application protection technology and APIs. The choice depends on the cost, the risk assessment and the number of users in a company or organization.