Zero trust is gaining momentum. Understanding what zero trust is, and how to improve it, is imperative to cybersecurity.

The zero-trust model was created by John Kindervag in 2010, when he was a principal analyst at Forrester Research Inc. The zero-trust architecture is a powerful, holistic security strategy that is helping to drive businesses faster and more securely.

What is a Zero Trust Architecture?

A zero-trust architecture eliminates the idea of a trusted network inside a defined perimeter. In other words, it is a security model that focuses on verifying every user and device, both inside and outside an organization’s perimeters, before granting access. The zero-trust model:

• Assumes attackers are already lurking on the network
• Trusts no environment more than any other
• Assumes no implicit trust
• Continually analyzes and evaluates risks
• Mitigates risks

The zero-trust approach is primarily focused on protecting data and services, but it should be expanded to include all enterprise assets (devices, infrastructure components, applications, virtual and cloud components) and subjects (end users, applications, and other non-human entities that request information from resources).

Why Is a Zero Trust Network Important?

In the past, perimeter security approaches followed a simple paradigm: “Trust but verify.” While the user experience was better, evolving cybersecurity threats are now pushing organizations to reexamine their postures. In recent years, a typical enterprise infrastructure has grown increasingly complex and is outpacing perimeter security models.

Examples of these new cybersecurity complexities include:

• An enterprise may operate several internal networks, remote offices with local infrastructure, remote and/or mobile users, and cloud services
• Complexity has exceeded legacy methods of perimeter-based network security
• There is no more single, easily identifiable enterprise perimeter
• Perimeter-based network security is now insufficient – once attackers breach the perimeter, their lateral movement is unimpeded

Along with these complexities, securing the network perimeter is insufficient because apps are now on multiple cloud environments, with 81% of enterprises having apps with at least two cloud providers (IBM Mobile Workforce Report). Also, global remote work trends continue, with 65% of workers citing they would like to continue to work from home or remotely (Gallup Survey). Furthermore, global mobile workforce growth continues, as indicated by Gartner’s Why Organizations Choose a Multicloud Strategy report, which estimated there would be 1.87 billion mobile workers globally by 2022.

Scott Rose from NIST addresses the future trends of Zero Trust from a recent F5 Panel Discussion

How to Achieve a Zero Trust Architecture

First, a successful zero trust model should provide visibility for all traffic – across users, devices, locations, and applications. Additionally, it should enable visibility of internal traffic zoning capabilities. You should also consider having the enhanced ability to properly secure the new control points in a zero-trust environment.

The right access policy manager secures, simplifies, and centralizes access to apps, APIs, and data, no matter where users and their apps are located. A zero-trust model validation based on granular context-and-identity awareness, and securing every application-access request, is key to this and should continuously monitor each user’s device integrity, location, and other application-access parameters throughout their application-access session.

Having a robust application security portfolio in a zero-trust approach is also important. The right solutions can protect against layer 7 DoS attacks through behavioral analytics capability and by continuously monitoring the health of your applications. A credential protection to prevent attackers from gaining unauthorized access to your users’ accounts can strengthen your zero-trust security posture. Plus, with the growing use of APIs, you need a solution that protects them and secures your applications against API attacks.

How Does F5 Handle Zero Trust

F5 leans heavily on the NIST Special Publication 800-207 Zero Trust Architecture when it comes to our efforts around zero trust, because it provides industry-specific general deployment models and use cases where zero trust might improve an enterprise’s overall information technology security posture. The document describes zero trust for enterprise security architects and aids understanding of zero trust for civilian unclassified systems. In addition, it offers a road map for migrating and deploying zero trust security concepts to an enterprise environment.

F5 and zero trust tenets - Continuous security improvements

Collecting info on current assets, network infrastructure, and communications state to improve your security posture is critical to zero trust improvements. We recommend following these steps to guide your organization in this process:

• Continuously review and assess access, threats, and trust
• Provide visibility into application access and traffic trends, aggregate data for long-term forensics, accelerate incident responses, and identify issues and unanticipated problems before they can occur
• Initiate quick action, if required, including the termination of specific access sessions
• Deliver a fast overview of access health

F5 can specifically help you deploy an effective zero trust model that leverages our Trusted Application Access, Application Infrastructure Security, and Application Layer Security solutions.  Learn more here.