Zero Trust Framework refers to security concepts and threat models that no longer assumes that actors, systems, or services operating from within the security perimeter should be automatically trusted, and instead must verify anything and everything trying to connect to its networks before granting access. The term was coined by a security analyst at Forrester Research.

The Zero Trust Framework is in response to the realization that the legacy perimeter security approach is no longer viable. Since the early days of IT infrastructure, enterprises have used perimeter security to protect and gate access to internal resources. The perimeter security model is often compared to a medieval castle: a fortress with thick walls, surrounded by a moat, with a heavily guarded single point of entry and exit. Anything located outside the wall is considered dangerous, while anything located inside the wall is trusted. Anyone who makes it past the drawbridge has ready access to the resources of the castle.

The perimeter security model works well enough when all employees work exclusively in buildings owned by an enterprise. However, with the advent of a mobile workforce with the new concept of work from anywhere, the surge in the variety of devices used by this workforce, and the growing use of cloud-based services, additional attack vectors have emerged that are stretching the traditional paradigm to the point of redundancy. The perimeter is no longer just the physical location of the enterprise, and what lies inside the perimeter is no longer a blessed and safe place to host personal computing devices and enterprise applications.

Thus, Zero Trust Framework has drawn technologies such as multi-factor authentication (MFA), identity and access management (IAM), identity governance and administration (IGA), privileged access management (PAM), orchestration, analytics, encryption, scoring and file system permissions. Zero Trust Framework calls for governance policies such as giving users the least amount of access they need to accomplish a specific task.

Zero Trust Framework assumes no traffic within an organization's internal network is any trustworthy, by default, then traffic coming in from the outside. It continually validates users and devices and applies end-to-end encryption between the devices and the resources that seek to access. Users are granted ‘least privilege’ – i.e. only enough access to accomplish the task at hand.

Organizations need to establish the Zero Trust deployment with defined levels of sensitivity and different levels of trust.

Implementation

So how do you adopt this within your organization? It does not matter what the size of the organization is small, medium or large or what kind of industry you are in, and this applies to all businesses across all verticals.

Traditionally IAM, IGA, and PAM solutions are required to meet various compliance requirements, but these are no longer compliance requirements. Organizations need to adopt and adapt to Zero Trust bringing all these together – and involve the adoption of advanced features that increasingly tap into machine learning and behavior analytics.

In other words, embracing zero trust will involve methodical planning and taking a measured approach to technology adoption.

For most organizations, this will be a journey; we call it getting on a verification continuum.

SailPoint Technologies, an Austin, Tex.-based supplier of IGA systems, has been increasingly using machine learning in this way. “With any of these technologies, you’re looking for the outliers,” said Mike Kiser, global security advocate at SailPoint. “If users in a group all serve similar roles, then they should all have similar levels of access. But if one of my engineers suddenly gets access to a marketing database in Botswana, I probably want to go take a look at that and perhaps remove that access.”

Similarly, Centrify, a Santa Clara, Calif.-based IAM supplier, is honing behavior analytics systems that can closely monitor all access requests and keep very close track of specific usage patterns and activities for every user. If an access request by any user turns up, which is out of the norm, a policy can be automatically enforced requiring use of a variety of forms of multi-factor authentication to log on.

“Machine learning allows you to identify these things and take action in real-time,” said Andy Smith, vice president of product marketing at Centrify. “I can look at commands that may be running and identify things that no human looking through logs would be able to identify.”

At the same time, in moving to deploy zero-trust systems, companies should not overlook the usability aspects of any system; most learn quickly how important it is to assess what their employees, partners, and suppliers will tolerate, said Duo’s Nather.

“For CISOs, it’s about trying to find the right balance,” Nather said. “‘How often do I need to ask for these extra factors of authentication? How long can I remember my employee’s device before I have to track it again because the risk has gotten higher?’ Zero-trust enables companies to give a consistent experience to their users, which is important because it will keep them from getting cranky.”