What is Zero Trust?
Zero Trust architecture has experienced a meteoric rise over the past couple of years, and it became a go-to choice for many organizations looking for a reliable security system. This model was first presented in 2010 but gained wide attention a few years later when Google announced that it had implemented this security concept into their business. Despite gaining popularity among big and small companies, Zero Trust model remains relatively unknown among average Internet users. That’s why, before we dig deeper into its security model and implementation of this security system, we must understand what Zero Trust is.
First, let’s take a glance at the history of network security. It has taught us that security systems like Zero Trust provide reliable safety regardless of the size of a company. Massive breaches at the start of this decade proved that the existing perimeter security systems were obsolete and unable to provide maximum security to both users and companies.
So, what is Zero Trust? In simple terms, the Zero Trust network architecture is a model that allows a user to identify a specific “protection surface.” This surface can include particular aspects of a network’s most crucial data, apps, or services. It is a strategy that removes the concept of trust from a company’s security structure. Based on the “always doubt” principle, Zero Trust is created in a way to protect modern digital networks without sacrificing user experience and control.
What is a Security Model?
The Zero Trust security model stands on three core values:
- Easy access to all devices despite their location
- Bottom-up least privileged strategy and strict control
- Strict monitoring of the ecosystem
Judging by these three primary values of Zero Trust security, we can say that this security method requires no changes to existing security measures. Instead, it’s based on the familiar security model upon which most security policies operate. And, when we look at this from the definition of a security model, this makes perfect sense: “A security model is any computer model that’s used to identify and impose security methods. It is a framework on which specific company policy is developed”. While this definition was created years before Zero Trust security, it still applies to this security system, making Zero Trust the most successful example of a network security model to date.
The Technologies behind Zero Trust
The main philosophy behind Zero Trust security is to presume the network is susceptible to attackers from both within and outside. In line with this, the principle of Zero products is to assume that no user or device should be automatically trusted. Following that, Zero Trust security applies a so-called “least-privilege” access model. It means that the user only gets the minimum level of access he needs. This need-to-know basis minimizes the user’s potential exposure to the parts of the network which contain sensitive information. Besides limiting access to users, Zero Trust does the same when it comes to devices. Zero Trust model should monitor how many different devices are trying to access the system, and make sure that every device is authorized, regardless of the user’s previous activity.
Another essential aspect of Zero Trust is Multi-factor authentication. We’ve touched on this topic a few weeks back when we talked about all the benefits MFA brings to its users. To recap it in a few short sentences, MFA requires a user to enter more than one piece of identification when logging into the network. The most popular examples of this are platforms like Google and Facebook, which require the user to enter both the password and code sent to another device, usually to a specific mobile phone number.
The way Zero Trust works means that it is not dependent on a particular location. It has positive and negative sides. The positives are that users can access the data from anywhere: work, home, coffee shops, or even abroad, as long as they verify their identity when logging in. The negative aspect of this falls on the company, and it comes in the fact that the Zero Trust method must be spread across the company’s entire network environment. All of this also means that the workloads are highly dynamic and can move across multiple data centers, regardless if they are public, private, or hybrid.
Should Zero Trust Companies Really Trust No One?
While Zero Trust security has proven to be a very successful network protection model, many security experts suggest that it could operate in a slightly different way. Instead of rejecting all sites, experts suggest that Zero Trust should whitelist trusted and known websites. However, as of now, it is highly unlikely that it would happen, mainly due to two reasons – creating such a system won’t reduce the company’s workload by a significant margin. Moreover, it would increase the potential risk of infiltration through legitimate sites, as malicious ads or malware can infect even trusted sites.
The truth is that limiting access to users and devices sometimes creates obstacles for users, and also requires extra work and resources from the company implementing such a system. On the one side, users must constantly request access, while on the other side, the company’s IT staff must shift its attention from other significant network matters to monitor and investigate user requests. But be that as it may, websites that aim for maximum network security shouldn’t trust any website or user. There is no way of maintaining a 100% effective security system, but implementing such a system is the next closest thing to having one.
Zero-Trust for the Web
As we’ve mentioned at the beginning of this page, Google was the first major company to implement Zero Trust verification. It significantly helped Zero Trust gain prominence in the online world. Since Google mostly relies on its cloud technology, the potential chance of breaches keeps going up as the number of Google employees continued to grow over the years. Google implemented the Zero Trust system with four separate tiers – untrusted, basic access, privileged access, and highly-privileged access. Depending on what level of clearance the device or user has, Google provides an appropriate amount of accessible information.
Other Companies Using Zero Trust
After Google, many other big companies have followed in implementing this security measure. Out of the many big names using Zero Trust security on their networks, we’ll take two very different, but influential companies in their field – Siemens and Kayak. Let’s start with the latter. Kayak is an industry-leading travel search engine with several billion travel-related searches every year. Company structure with employees all around the globe also contributes to a risk of hacker attacks, and other malevolent behavior. Due to this, Kayak uses a Zero Trust security system that limits the potential security risks, both for their employees and visitors.
On the other side of the specter, Siemens doesn’t operate in the same line of business as Kayak. The company’s Digitalization Network is one of the largest manufacturers of digital applications. With that in line, user-experience, reliability, and safety of their platform are some of the most critical aspects of their products. Due to the sheer scale of their business, Zero Trust was the best option to go with for Siemens, as it allowed them to do the exact thing we mentioned before in the article. The company scaled up and divided its cloud-based business into several security models, allowing maximum security to data which requires it.
Hideez also incorporates Zero Trust approach in our products. If you want to know more how we can make your business more secure: