More security professionals than ever before are starting to rethink the way they approach access control and the security models of interconnected systems and user access, and exploring how Zero Trust can help remediate risk.
They’ve started looking at the entire environment as potentially untrusted or compromised, versus thinking in terms of outside-in attack vectors. They’ve also seen the need for a renewed focus on trust relationships, and user-to-system and system-to-system relationships in general, within all parts of their environment.
In order to implement a Zero Trust architecture model, security and operations teams will need to focus on two key concepts: first, security will almost always need to be integrated into any workloads, so it can move with the instances and data as they migrate between internal and public cloud environments.
Second, the actual behavior of the applications and services running on each system will need to be much better understood, and the relationships between systems and applications will need more intense scrutiny than ever.
Zero Trust is a model in which all assets in an IT operating environment are considered untrusted by default until network traffic and behavior is validated and approved.
The Zero Trust approach does not involve eliminating the perimeter; instead, it leverages network micro-segmentation and identity controls to move the perimeter in as close as possible to privileged apps and protected surface areas.
In addition to these overarching themes, there are three distinct technology elements that comprise a robust zero trust strategy:
- User Identities: role-based access to and integration with applications and services
- Device Identities: ranging from end user equipment to static servers and virtual machines in the cloud
- Network Access: network ports and protocols associated with application use and system-to-system and user-to-system interactions
The Using Zero Trust to Enable Secure Remote Access white paper provides guidance for implementing a Zero Trust architecture based on your organization’s goals, the intended scope of its application and timeframe for implementation, and the technologies available today to successfully implement a Zero Trust access control model.