The Past, Present, and Future of Zero Trust
There has been a lot of discussion on the topic of Zero Trust (ZT). CSA has been involved in the realm of ZT since 2013, via the Software Defined Perimeter Working Group (now known as the SDP and Zero Trust Working Group). The first SDP Specification was published in 2014, encompassing the principles of ZT. These ZT principles were applied in a few different models, such as DoD’s Dark Cloud or Google’s BeyondCorp. Here are some basics about ZT:
What is Zero Trust
Zero Trust security is an Information Security model that mandates strict identity verification for every user and device trying to access resources on a private network, whether they are sitting within or outside of the corporate network perimeter. Traditional networks trust anyone or anything already inside the network. ZT networks use the “verify, then trust” principle.
The Evolution of Zero Trust
In the old days, once a user or device was granted access to the network, it could access all of the network's resources. For instance, a company would rely heavily on a firewall to thwart malicious access and actors. But once you gained access through the firewall, you could access most if not all of the company’s information (including HR data/PII, company financials, and intellectual property). I think you get the picture of potential vulnerabilities in this approach.
There has been a movement to “defense in depth” in recent years. It is an improved approach that adds a few safeguards. These combined countermeasures (such as NGFW, IDS/IPS, DLP and data encryption) are more effective in reducing the threat surface.
Presently, ZT has burgeoned as an IT Security paradigm that provides a much improved Security Posture for most enterprises. ZT networks use the “verify, then trust” principle. This means that no one is trusted by default from inside or outside the network, and verification is required from everyone trying to gain access to resources on the network.
Zero Trust Resources
Watch this recording from the CSA Research Summit 2022 about the past, present, and future of Zero Trust.
Learn more about Zero Trust by visiting CSA’s Zero Trust Advancement Center.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.