Cybercrime, phishing attempts, and security hacks are all on the rise worldwide. These data breaches can be costly to businesses and individuals. They leech your valuable time, energy, and information, as well as revenue and finances. Over the next five years, the cost of cybercrime is expected to rise by 15% per year. If trends continue as expected, this will lead to a $10.5 trillion cost annually by 2025.
Enter zero trust cybersecurity. Zero trust is an attempt to meet the moment globally. Zero trust methodology aims to address both the constantly evolving methods of cybercriminals, as well as the shifting needs of businesses, governments, and consumers.
What is Zero Trust Cybersecurity?
Zero trust is similar to a zero tolerance policy, in that it assumes risk can come from anywhere, at any time. Most traditional security models grant some kind of lasting trust to users logging in from recognized networks, locations, or IP addresses. The zero trust model, however, assumes there is no network edge, and therefore there can be no lasting reliability.
Instead, zero trust requires that all users, whether inside or outside an organization’s network, have their credentials be constantly checked, authenticated, and validated. This continual reauthorization is necessary before accessing or downloading any files, applications, or data within the protected network.
Origins of Zero Trust
Zero trust was invented by John Kindervag, widely considered one of the world’s foremost cybersecurity experts. Kindervag is currently Field CTO with Palo Alto Networks after years at Forrester Research. The creation of the zero trust model is attributed to his field work as a cybercrime analyst. It has since been adopted by Google, Coca Cola, many airlines, and more.
Notably, the zero trust model has also been recommended by the US House of Representatives. After the disastrous OPM data breach, the House issued an official recommendation that all government agencies adopt the zero trust model
Example of a Zero Trust System
To understand how zero trust works, Google has compared the model to going to the airport. Traditionally, at the airport, you must present your identification and ticket to security before accessing the gates. This would be the equivalent of sharing your IP address (like a passport, to prove who you are), as well as your authorized destination (your ticket, showing where you plan to go). In a zero trust model, every time you log in, you must show these credentials and have them be authenticated. Similarly, every time you fly, you have to present the same proofs, even if you have flown from that airport, and to the same destination, before. This re-authentication is what sets zero trust apart from traditional network security, which assumes that users who have logged in (or checked in) once before can continue to be trusted.
Additionally, gate access is restricted in the zero trust model, under this airport metaphor. Gone would be the option to wander freely from gate to gate, once you have presented your credentials once at security. Instead, even authorized users can only access the specific applications and destinations that they requested upon entry. This extra step limits the amount of damage that an impersonator would be able to do, assuming that they were able to evade detection at the initial checkpoint.
Differences Between Zero Trust and VPN Networks
Both VPNs and zero trust can be deployed to enable remote users to access confidential materials. This makes both systems especially helpful as more companies continue to ask employees to work from home. Both VPNs and zero trust models are attempts to manage the increased risk from having so many different remote access points.
However, VPNs and zero trust security manage this risk in different ways. A VPN creates a remote perimeter. It grants access to all authorized users and managed devices who log in through the VPN. Zero trust, by contrast, automatically restricts access to all users, assuming there is no trusted network.
While zero trust is a newer concept in cybersecurity, and thus less proven than VPN technology, it is an attempt to restrict the amount of damage that a hacker can do, once they have gained access to the trusted network created by the VPN.
Benefits of Zero Trust
Zero trust upends the traditional perimeter security model by restructuring the framework of risk. Some benefits include:
- Portability – The zero trust model can be accessed by users all over the globe. Gone are the physical limitations of needing a dedicated office space and company network.
- Flexibility – A zero trust model has less initial set up for users than requesting access to a VPN, minimizing onboarding time.
- Security – Zero trust is designed to mitigate the risks of network perimeters, or the “blast radius” if a breach does occur.
- Invisibility – Despite the multiple authentications necessary, zero trust should be seamless for users. They should be able to sign in and use a strong second factor in order to conduct business as usual.
Evolution of Zero Trust Security
As more businesses and users utilize hybrid cloud technology to store data, zero trust is a necessary evolution within the cybersecurity landscape to help mitigate the associated increased risk. When done correctly, zero trust lives up to its motto of “never trust, always verify” and can create a stronger, safer online experience for companies, governments, and individuals.