Zero Trust (ZT) is probably one of the most talked-about topics, terms, or buzzwords on the cybersecurity market today. If you have attended any conference across the globe in the last 2 years in the cyber circuit, it is highly likely that you have run across this Zero Trust “thing”. But what is Zero Trust? Where did the concept and idea originate and why should we be inundated with this onslaught of Zero Trust shenanigans?
What is Zero Trust?
What is the definition of Zero Trust?
Zero Trust is a cybersecurity strategy that means that on the one hand organizations should eliminate implicit trust and on the other hand, instead of just trusting users, continuous verification of the user identity is fundamental. One of the core principles of the concept is ‘Never trust, always verify’. You should not trust everything that is inside the company’s network and verification is always required from every person that wants to gain access to resources on the network.
A Zero Trust strategy helps organizations to protect their environments and is an important help during a digital transformation. Some core principles of things you can do is:
Granular control for access requests
Implementing strict verification methods
Avoid lateral movement
What was the role of the Jericho Forum in the history of Zero Trust?
To understand what Zero Trust is, we must rewind the clock for about 16 years to the Jericho Forum. That was a group of academics that were sitting around pondering the more tangential issues in network security and how they might apply their brainpower to addressing that pivotal issue.
At that time, nearly two decades ago remember, the most powerful asset in an enterprise to be introduced to the market was the NGFW, next-generation firewall. This ‘all-powerful’ device was supposed to be the game-changer in eliminating threats and helping to segment the infrastructure of on-perimeter systems and infrastructure. While this was innovative at the time it was not much more than a high powered dynamic segmentation tool.
That being the case the members of the Jericho Forum adopted the research concept of ‘De-Perimieterized Security’. Essentially the focused effort of using that NGFW tool capability to extend control and segmentation throughout the infrastructure more dynamically but with a focus on not just a big high ‘wall’ at the edge of the network. Instead, it would be a series of more granular segments with more focused controls and improved monitoring.
This would be a watershed moment in the secure infrastructure forethinking and in truth, no one paid much attention other than the members of the Jericho Forum, and one Forrester analyst John Kindervag.
What was the role of John Kindervag?
John was visionary enough to see the application of this approach was valuable and could change the game for more secure, and more controllable infrastructure at scale. John saw the coming power of the cloud and the potential for the problems that diverse and ever-growing infrastructure might create. He also had the foresight to realize that the world was moving to a space of BYOD (Bring Your Own Device) as a primary method of futurizing the workspace.
With that realization, his background in network security John looked for the most singular point of failure in that future state. After a year or so of research, he concluded that the ‘trust’ that was installed and implied within this future state of architecture would be the harbinger of its failure.
Too much default sharing, over connectivity, and unfettered access would be problematic for any enterprise that was compromised, and John knew that compromise was a given, not a possibility.
With that as his basis, John coined the term Zero Trust and began the mission to spread his gospel that ‘trust’ was the most important item to control in any (network) infrastructure and at the time using the Next Generation Firewall (NGFW) was the way to do that. He promoted a stricter way of handling access control in companies.
And that was where Zero Trust focused for the next decade or so, until around 2017 when technology finally caught up and more practical approaches to modern secure infrastructure became part of the 2020 state of Zero Trust.
Why is 'trust but verify' no longer a valid approach?
Like mentioned above one of the key principles of a Zero Trust model is ‘Never trust, always verify’. But before that, the mantra or approach of many organizations was ‘trust but verify’.
Nevertheless, in a Zero Trust Architecture the goal is to avoid lateral threat movement within a network. Because if you verify someone’s access once and then trust this person and his (maybe compromised device) always, you cannot avoid a possible cyber attack. The key of Zero Trust network access is to keep on verifying before you grant access, this in the form of microsegmentation and granular usage control.
The purpose of a zero trust network architecture is to address lateral threat movement within a network by leveraging micro-segmentation and granular perimeters enforcement, based on data, user and location. This is also known as the “never trust, always verify” principle, determining zero trust.
Check out our "AwinguruTalks" podcast,
with Dr. Chase "Zero Trust" Cunningham!
Is a VPN good to enable Zero Trust Security?
As infrastructure grew and the need for secure connectivity of that BYOD workforce became the standard for the workplace, the VPN became the standard ‘secure’ application that would be adopted to help enable a ‘secure’ remote workforce.
While at first, that seemed like a great concept and approach to the problem, in reality, thanks to the massive (data) breaches that contained usernames and passwords and the nation-state hacks that compromised VPN providers, the VPN became not much more than a hindrance for users at best and a direct pipe for hackers into an entire network at worst.
The VPN didn’t do much more than poke holes in those early Zero Trust systems and, was just allowing for direct connections into systems for the bad guys. NGFW and segmentation couldn’t fix the issue of a VPN when that connection for a BYOD user was authenticated with hacked password and administrator privileges. This technology plagued enterprises for nearly a decade.
What are the key principles to a Zero trust security strategy?
Now we arrive at the current state of the art in the industry: Software-Defined Networking, Browser Isolation, and Virtualization of network infrastructure are keys to any future Zero Trust approach. A dynamic space wherein everything can be remote and secure, and the need for failed password-based user authentication can be eliminated.
True Zero Trust infrastructure can finally be deployed because these tools or capabilities have aligned with the reality of what is needed to enable this vital strategic initiative. Using a combination of these important techniques now allows enterprises to adopt the basic tenets of a Zero Trust security model. Further the use of these key elements will eliminate the default configuration issues that plague secure infrastructure and can enable a more dynamic workforce simultaneously.
Think about how you would want to work, or even better how you would want your employees to work. Especially as we now see that remote work and BYOD are the new standard, not the option, for enterprises.
To have a more ‘Zero Trusty’ related enterprise, and one that is easier to actually work within, you would want to eliminate the VPN, push the security control from the internals of the infrastructure outward, and enable continual access as well. And do all that while never impacting the user experience.
Oh, and you would want to use protocols that are ‘harder’ to be used for exploitation. This means HTTP instead of RDP. Lastly, you would want to eliminate the issues that are present around old or out of date machines that users might want to work on as they operate in your enterprise. That would be incredibly difficult if you were to try and build that out on your own, and that approach would require large investments in time and effort to get to that final state.
How can Awingu help you enable a Zero trust strategy?
With Awingu users can get secure access as they are never actually ‘on’ the network, and there is no need for a VPN. This is by far one of the key benefits of the unified workspace, as it reduces the risk of someone ‘bad’ entering the company network from a private network.
By using the dynamic power of virtualized infrastructure combined with browser isolation the entire workspace for the user is ‘pushed’ to them within a virtual connection. This way you have a secure web gateway available for all users, be it employees or external contractors.
End-users can login via the browser of their devices, these can be managed or unmanaged devices. They then get remotely access to published applications (web applications, SaaS applications and even legacy systems), desktops and files, in HTML5.
No data sits locally, so you can be sure that even sensitive data is not leaving the company’s environment. If an user would be unaware and would work via a compromised device, there is still no direct access to your company assets and organization’s network. So even if you don’t know the device identity you don’t have to worry about the network security as IT admins can define the access control.
There is no pipe that can be used by malicious hackers, all sessions are encrypted, and multi factor authentication (MFA) is a default built-in offer for all customers. Using this capability will certainly reduce risk. With multi factor authentication you can already very easily built an extra layer to secure user access. The user is also continuously authenticated as they operate in that secure remote session and the system is integrated with a Single Sign-On (SSO) capability to make login and ease-of-use readily available. So user access can stay as smooth as before.
As an IT admin it’s possible to define the user permissions even more with capabilities like context awareness and granular usage control. In the dashboard for admins, you have access to a continuous monitoring of what is happening in the workspace. You can even enable session recording and like every other capability you can define this for certain users or user groups, but also for specific applications or even built-in capabilities. Let’s say, following your access policies, you only want granted access for your external contractors to legacy application AS400 when they are in the United States and using MFA? Perfectly possible, any way you want it.
Needless to say, Awingu can help you create a zero trust environment to protect your assets and avoid a data breach for example, in a very simple way. Working with Awingu reduced security complexity for IT admins of other organizations. The more complicated the solution or setup, the more that can go wrong.
If you’re company is implementing a Zero trust Approach and you want to simplify your remote access without compromising your most critical assets on the network? Take a look at this unified workspace that can certainly help with this digital transformation in your Zero Trust journey!
About the author
Chief Sales & Marketing Officer