Understanding Zero Trust Security and Why It Works

Zero trust security is an invaluable approach that helps significantly boost how protected an organization is against threats. Nevertheless, many people may need to become more familiar with the term or what it entails. Let’s take a few moments to review the concept and clarify how beneficial it can be.

Zero Trust Security: What it Is, and How it Works

You can almost think of a zero trust security strategy as actively implementing the phrase, “Trust no one.”

The development of zero trust security is actually closely tied to the growth of remote work. Back when teams worked at the office, hard stop, it was relatively easy to secure a business network. You could establish a perimeter to keep threats out, reinforce it with a ton of protections, and be confident that everyone inside was confirmed to be a trusted team member.

However, once the Internet advanced to the point where it was relatively accessible outside of the business setting, the idea that work could be done anywhere was too appealing to waste the opportunity—despite this breaching the perimeter. Virtual private networks (VPNs) helped to an extent, but as greater and more powerful threats developed it was soon apparent that a perimetered network simply wasn’t a viable option.

The term “zero trust” actually dates back to 1994, when Steven Paul Marsh included the phrase in a doctoral thesis on computer security for the University of Stirling. This thesis, titled Formalising Trust as a Computational Concept, focused on creating a proposed mathematical model to assist distributed artificial intelligence in its calculations. Greatly simplified, this model seeks to quantify trust so that AI can consider it as another variable.  

However, it wasn’t until 2010 that John Kindervag combined two years of effort and research at research and consulting firm Forrester to produce a report. In this report, No More Chewy Centers: Introducing the Zero Trust Model of Information Security, Kindervag presented the Zero Trust Model. 

The Concepts of the Zero Trust Model Should Sound Familiar

Kindervag’s report outlined the three core tenets of the model:

1. All resources must be accessed securely, regardless of location.
2. Access control and the principle of least privilege must be implemented.
3. All traffic needs to be inspected and logged.

These same principles began to appear in new policies and publications, from Google’s BeyondCorp initiative that reinforced the importance of the above tenets (never using the phrase “zero trust,” however) to the standards that the National Institute of Standards and Technology—NIST—proposed in 2020’s publication Zero Trust Architecture.

It is NIST’s report that adds the following assumptions to the above tenets (we’ve added a bit of clarification to each):

1. The entire enterprise network is not considered an implicit trust zone.
   As we said before, it isn’t uncommon for an attacker to sit and wait on a network for a while, observing what they can.
   
   
2. Devices on the network may not be owned or configurable by the enterprise.
   Bring Your Own Device is a common tactic that many businesses use to reduce costs. As a result, networks have expanded past what they used to contain.
   
   
3. No resource is inherently trusted.
   Spoofing now allows attackers to pose as someone else. That someone else could be anyone from the CEO to the new hire.
   
   
4. Not all enterprise resources are on enterprise-owned infrastructure.
   While not aligned with best practices, it is safe to assume that some documents exist on individual devices, not the business network. Some of these devices could be those used under a BYOD policy.
   
   
5. Remote enterprise subjects and assets cannot fully trust their local network connection.
   Whether working from home or traveling, any network could have threats hiding on it. Therefore, the appropriate protections are necessary to protect against these threats.
   
   
6. Assets and workflows moving between enterprise and non-enterprise infrastructure should have a consistent security policy and posture.
   Regardless of where technology is used, the same practices and safeguards are critical to protect your organization.

When it all comes down to it, it’s less “Trust no one” and more “Protect and verify.”

Zero Trust Security is So Important Today

Security precautions have undoubtedly improved over the years. Unfortunately, the same can be said of the threats that target businesses. At this point, zero trust is practically the only feasible option for a modern business—at least, one concerned with protecting itself, its data, and its customers and clients.

BNMC is here to help. As a part of our managed services, we’ll help you ensure your business’ data and infrastructure are locked down, regardless of where your team works. Learn more about how we can keep you protected by calling (978) 482-2020.