During the early years of enterprise networking, whether a user or a device on the network should be trusted wasn't given much thought. At least not beyond their initial login. When anyone arrived at work, they'd go to their desktop PC, authenticate themselves with a simple username and password, and essentially be given trusted, full access to the corporate network and software for the rest of the day. This certainly made it easy for workers to access what they needed.
Unfortunately, it also made it too easy for outside attackers — and others with ill intent — to breach enterprise systems and steal data.
It made sense at the time. A couple of decades ago, identity and access management tools ranged from rudimentary to non-existent. Additionally, enterprise networks were digital islands wherein most of the applications at the time either ran on the individual endpoint or were provided by on-premises servers. This meant that enterprise security was very much built on the assumption that everything on the inside of the network should be trusted, and everything outside the network was generally not to be trusted.
That approach worked, somewhat, until interest in eCommerce and the popularity of the web grew exponentially, and the network perimeter began to evaporate. By the early 2000s, this approach to authentication became unwieldy, and enterprises began to embrace additional strategies and technologies to protect their networks, ranging from tighter firewall rules at their perimeters, to installing so-called “demilitarized zones” just outside their network perimeters to conduct certain transactions.
Identity and access management tools of the time also started to mature. History has shown that it all proved largely unmanageable in the end, and new strategies were sought.
The Evolution of Zero Trust
In 2003, an international standards group, the Jericho Forum, started working on a security effort that set the foundations for today's Zero-Trust security philosophy. The Jericho Forum started tackling emergent challenges at the time, such as the web, software-as-a-service (SaaS) applications, and increased staff mobility — all rapidly accelerated the "de-perimeterization" of enterprise networks.
The principles initiated by the Jericho Forum were refined to become Zero Trust — assuming by default that the network is always hostile, that no device or user can be innately trusted, and that a layered combination of processes and technology would evolve to be able to vet users and devices to ensure they are who or what they purport to be. In 2009, a Forrester Research analyst coined the term “Zero Trust.”
Since then, the technologies used to help enforce Zero Trust processes have improved considerably. These include the ability to continuously monitor network traffic, device and user behavior for risky behavior, and signs of malware and malicious activity, whether internal or external. The sheer amount of data on device and user activity that can be captured, stored, and analyzed today brings powerful new capabilities to enterprise Zero Trust efforts.
Consider the advances in artificial intelligence (AI) over the years. Today, AI makes it possible to automatically analyze all user and device behavior data faster than humans could ever hope to do manually. For instance, AI can evaluate user biometrics, the user's location, how they behave regarding their interactions with the network and applications (compared with their past behaviour and actions), plus it can recognize any deviations from that user's typical behavior.
AI can also spot entirely new malware based on the actions it attempts. And should anything suspicious be identified, the suspect user’s access can be limited until the situation is remedied or they can successfully authenticate themselves further.
AI + Zero Trust
Because AI can free up security teams from so much time-consuming manual labor, security analysts and IT teams are freed to focus on higher-level tasks. When deploying Zero Trust, or at least a Zero Trust implementation backed by the right technologies, enterprise security teams can secure and monitor more devices to a higher degree of trust than would have been possible before.
Zero Trust is likely the only way enterprises can hope to manage today’s modern and highly mobile workforce, because for security to be truly adequate, enterprises need to trust their users and their devices no matter where they reside.
It’s great that Zero Trust can provide that advanced security capability for enterprises and security teams, but what does this mean for end-users? To succeed in the enterprise, Zero Trust efforts need to enhance users’ daily work experiences, rather than adding additional barriers to workflow, speed, and productivity. In our next post, we will tackle that with the concept of zero-touch Zero Trust.
Interested in learning more? Read the BlackBerry report on The Inevitable Ascent of Zero Trust for additional insight.