Zero trust security: What is it?

Never trust, always verify.

Introduction: A short history of security and access control

The development of cloud computing placed many applications at a turning point.

Let’s start with an example. Back in the early- to mid-‘00s, Enterprise Rights Management software (ERM) began to struggle. ERM was developed to solve the issues of controlling enterprise content, such as in a Word document. Once the network perimeter was no more, it became more difficult to control content.

One of the issues was in the access control measures offered to manage content access. If you have no perimeter, you need to have mechanisms other than employee directories to control content access. As a consequence, ERM changed to accommodate functionality that was more cloud-appropriate — expanding its range of identity methods to control content access.

The dissolution of the network perimeter caused many changes in the way we approached cybersecurity — access control being only one of them. We could no longer rely on perimeter-hardening tools like traditional firewalls. We had to expand how we connected and, in doing so, opened the landscape to malicious others. New ways of looking at cybersecurity had to be developed. Zero-trust security was one such model — but what exactly is it?

What is meant by zero trust security?

Back in 2010, analyst John Kindervag of Forrester developed the framework for a zero-trust security architecture. The key feature of this architecture was to use a “data-centric” model — that is, knowing where your data is at any juncture, mapping the flow of the data through a network and beyond. The idea was to change how we trust transactions across a network, with the starting point of all network traffic being untrusted.

In 2018, the original zero trust architecture model was updated by Forrester. This new model is known (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Susan Morrow. Read the original post at: