Zero trust security model

The zero trust security model, introduced in 2010 by John Kindervag, is an important perspective used in many modern digital network security systems. It changed the traditional approach of “trust but verify” radically into “never trust and always verify.” In security systems based on zero trust principles, network security does not simply challenge users when they attempt to access a network. Rather, security tools challenge them repeatedly throughout their use of a network, analyzing them and requiring credentials. Some researchers have characterized this new system as perimeterless security, meaning it transcends the old ideas of a single perimeter around a network.

Background

Since the early days of networks and remote file-sharing, individuals and organizations have faced concerns about security. Individual computer users may want to protect identity information, such as credit card and Social Security numbers, as well as other private data from outsiders. Organizations of all kinds generally have a significant amount of sensitive data to protect, ranging from client information to intellectual property materials.

Internet and network security have developed alongside digital technology over the years, continually providing users with better and stronger forms of protection. However, over time, these levels of protection inevitably become outmoded or are defeated by hackers or other intruders, putting valuable data at risk.

For much of the digital era, the internet technology industry has used various perimeter security tools to check and validate any users attempting to enter a network or otherwise access protected data. One of the most common of these security measures is known as the firewall, network security software that checks and evaluates any user, human or otherwise, attempting to enter or leave a network. Firewalls can deny access to users that fail to adhere to set guidelines of security.

Firewalls proved mostly sufficient to handle intrusions for many years. Over time, though, the enormous growth and diversification of digital technology meant that even the strongest perimeter security tools were at risk of being defeated by new generations of hackers and intrusive technologies and tactics. In particular, the widespread move to cloud technologies, or online storage often accessed by many members of an organization, presented new security problems. The use of cloud storage meant that huge amounts of data, much of it sensitive and private, would be stored online and theoretically accessible by any device from anywhere in the world. With many workforces spreading internationally, and many employees working remotely, the risk of this data being compromised raised to alarming levels. Consequently, traditional forms of security such as firewalls were no longer enough, and many internet security experts sought new alternatives.

Overview

The traditional approach to digital security has been characterized as the castle-and-moat model. In this approach, a cybersecurity system works like guards protecting a castle. It is suspicious of all users outside of a network, and it challenges any user attempting to access the network. However, once a user successfully gets into the network, that user is automatically freed from further scrutiny and is more or less free to do anything desired. Over many years, this perspective of completely trusting any user inside a network contributed to many serious intrusions and cyberattacks. Hackers only had to deal with one major security check before they were free to do whatever they desired on a network, including stealing or sabotaging data.

Software engineers searched for new approaches that could minimize this risk. In 2010, one such computer scientist, John Kindervag of Forrester Research Inc., announced a new model he called zero trust. Shortly after he publicized his theories and suggestions, many large companies including Google and Akamai adopted them. In time, zero trust principles and tools were introduced on smaller scales for mid-sized and small businesses, as well as individual computer users.

Engineers have compared the zero trust perspective to an extremely thorough security guard who checks incoming visitors at the gate but then accompanies them during their trip through a town or building, watching them closely and requiring them to prove they have permission to visit each particular room or building every time they attempt to do so. If a visitor fails any security challenge, the guard will deny access, and will likely raise an alert about a possible breach.

Modern zero trust security systems have four main goals. The first is to repeatedly authenticate all users of a network, both on entry into the network and then on use of any systems or applications therein. In that sense, one user may have to provide passwords or other forms of clearance many times during a single session on a network. Moreover, the system also checks the authentication of the devices used by the visitor to the network. If the device used is unknown to the system, or not that user’s typical device, further security measures arise.

The second goal of zero trust security is to gather data on all users and attempted users of a network. This system logs all users, human or otherwise, who try to enter a network. Then, it runs various inspections of the accumulated logs, searching for abnormalities that could indicate threats. For example, if a particular user tries to access a network five times in an hour and is continually rejected, that could be a sign of a hacker. Abnormal behavior in or near the network can trigger security alerts and further investigation.

The third goal of the zero trust system is to continually analyze the network and the data therein to ensure that no malware or other harmful intrusive software has been secretly installed. If any breaches are detected, the system will work to contain them and send alerts to cybersecurity teams and any people whose information may be at risk.

Despite all these functions, the fourth goal of the zero trust system is to not impair the use of the network by verified users. Rather, a successful zero trust network is intended to let proper users access the programs, apps, data, and other information they require in a fast and reliable manner.

Bibliography

Irei, Alissa, and Sharon Shea. “What Is the Zero-Trust Security Model?” Tech Target, www.techtarget.com/searchsecurity/definition/zero-trust-model-zero-trust-network. Accessed 28 Mar. 2023.

Knowles, Mark. "The Zero Trust Security Model: What You Need to Know." Hyperproof, 5 June 2024, hyperproof.io/resource/zero-trust-security/. Accessed 14 Nov. 2024.

Raina, Kapil. “Zero Trust Security Explained: Principles of the Zero Trust Model.” Crowd Strike, 2023, www.crowdstrike.com/cybersecurity-101/zero-trust-security/. Accessed 28 Mar. 2023.

Rose, Scott, Oliver Borchert, Stu Mitchell, and Sean Connelly. “Zero Trust Architecture.” US Department of Commerce National Institute of Standards and Technology, Aug. 2020, csrc.nist.gov/publications/detail/sp/800-207/final. Accessed 29 Mar. 2023.

“What Is Zero Trust?” IBM, www.ibm.com/topics/zero-trust. Accessed 28 Mar. 2023.

“What Is Zero Trust?” ZScaler, 2023, www.zscaler.com/resources/security-terms-glossary/what-is-zero-trust. Accessed 28 Mar. 2023.

“Why Zero Trust.” Microsoft Security, 2023, www.microsoft.com/en-us/security/business/zero-trust. Accessed 28 Mar. 2023.

“Zero Trust Security Model.” Akamai Technologies, 2023, www.akamai.com/our-thinking/zero-trust/zero-trust-security-model. Accessed 28 Mar. 2023.