How zero trust protects your company: inside and out

The traditional castle-and-moat security model where users, once inside the firewall, were automatically trusted has long been outdated. What if you can't trust anyone in or outside your network?

What if you can't trust anyone in or outside your network? Can you still be secure? With the zero trust model, you can.

Remember when you could assume that it was safe inside your network behind the firewall? Those sweet days of IT innocence are long gone. 

The traditional castle-and-moat security model where users, once inside the firewall, were automatically trusted has long been outdated. For example, OneLogin, an identity and access management firm, found in a new study on passwords and the shift to remote work due to coronavirus that nearly one in five remote workers have shared their work device password with someone in their family. And, those are only the ones who admitted to it.

Adam Stern, CEO and founder of cloud-service provider, Infinitely Virtual, pointed out that many common attacks, such as ransomware, are the "products of inside-out attacks. that is, actions by unsophisticated employees from within the “moat/gate/wall” paradigm, one that assumes everything inside the moat is safe while everything outside is at risk. The Trojan-horse style attacks, thanks to phishing, have become commonplace.

Ten years ago, John Kindervag, former Forrester Research principal analyst, currently Palo Alto Networks field CTO, saw a need for a new security model: zero trust. He pointed out, there really isn't an inside or outside the firewall in today's IT world. Indeed, the very concept of trust and trusted systems is flawed. Or, as Kindervag put it, "Trust is a vulnerability. It provides no value to an organization, so we need to mitigate trust, just like any other vulnerability, and control access on a need-to-know basis."

Even now that seems like a radical idea. But it's an idea that's gathered momentum in IT circles. Zero trust is even now on its way to becoming a National Institute of Standards and Technology (NIST) standard. And, with the coronavirus pandemic moving workers from offices to their homes, it may be an idea whose time has come.

As Lenny Zeltser, CISO at Axonius, a cloud asset management company, said, "COVID-19 has forced enterprises to transition to a distributed, remote workforce almost overnight. And when rushing to support this type of workforce, security leaders have had to make in-the-moment decisions related to risks that usually would take months, if not years to address, regarding areas such as network trust, perimeter, outside apps and infrastructure, and visibility into major aspects of IT operations."

Therefore, Zeltser continued, companies should consider "using zero trust principles as guidelines to evaluate the current state of your crisis-induced cybersecurity program. It narrows the sphere of trust from large networks protected by a perimeter to components, such as endpoints and users." He concluded, "The architecture was actually developed in response to enterprise trends such as remote users and cloud-based assets, so even if you weren’t sure how to begin your journey toward zero trust, COVID-19 is likely forcing you to advance down this path."

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)