Buzzword or security standard: Zero Trust, Software Defined Perimeter & BeyondCorp
Zero Trust
Zero Trust is a security concept according to which automatic trust is not given to anything inside or outside an organization’s perimeters. Instead, every single connection attempt is verified before being granted access. It’s as if the system says, “We know that we might have seen you many times before, but we still need to make sure that you are who you say you are before we consider giving you any sort of access.” While that might be an oversimplification of what’s actually going on in a Zero Trust environment, it’s an accurate description of the concept – ‘never trust, always verify.’
Former principal analyst at Forrester Research, John Kindervag, coined the concept of Zero Trust, and the advantages are great: gaining control of your IT network and all the resources in it, reducing the risk of a data breach, assisting with compliance procedures, and increasing business speed while alleviating business frictions. When implemented correctly, Zero Trust architecture can empower the business, making security decisions based on contextual and real-time data and supporting digital transformation, which leads to increased agility and speed to market.
When a Zero Trust architecture is in place, the following questions are being asked: who is the user? Can the user be authenticated with our existing authentication methods? What device is being used and what is its security state? Is it a known and protected device or is it a risky one that may be malware infected? And lastly, what application is the user trying to access? Does this request comply with our security policies? These inquiries take place on every access attempt because no user or device are trusted.
But be aware that Zero Trust is not the kind of project that an organization can quickly create for itself and then set-and-forget. It takes planning and strategy and involves different security measures and techniques.
BeyondCorp
BeyondCorp is Google’s interpretation of Zero Trust. The BeyondCorp initiative was born from the understanding that “with the advent of a mobile workforce, the surge in the variety of devices used by this workforce, and the growing use of cloud-based services, additional attack vectors have emerged that are stretching the traditional paradigm [of perimeter security] to the point of redundancy.”
Google’s BeyondCorp is a perimeter-less network IT infrastructure that is based on user and device authentication and authorization and provides users with access permissions to specific applications on an ad-hoc basis. No more firewalls. No more VPNs. The permissions are granted based on individual devices and users’ identity and security posture. BeyondCorp enables security policies to be flexible, scalable, and manageable.
Brilliant as it is, regrettably, not every organization has the knowledge, expertise, resources and time to implement a BeyondCorp-like IT infrastructure. Organizations have to have big budget and manpower to develop, build and maintain their own BeyondCorp-like architecture that is suited to their specific situation. This can be a major challenge, especially for smaller businesses that don’t have those kinds of resources.
Not-So-Quickly Disappearing Buzzwords
SDP, Zero Trust, and BeyondCorp are assuredly the top network security buzzwords flying around the Infosec space today. But we believe they will not be fly-by-night security concepts that quickly disappear.
So when you are trying to come to grips with the plethora of network security solutions out there, take the time to further explore these three security concepts to ensure that whatever approach you end up going with is robust, scalable, agile, and most importantly – security-strong.
*** This is a Security Bloggers Network syndicated blog from Luminate Blog authored by Adi Bar-Lev. Read the original post at: https://blog.luminate.io/sdp-vs.-zero-trust-vs.-beyondcorp