Zero trust is gaining momentum. Understanding what zero trust is, and how to improve it, is imperative to cybersecurity.
The zero trust model was created by John Kindervag in 2010, when he was a principal analyst at Forrester Research Inc. The zero trust architecture is a powerful, holistic security strategy that is helping to drive businesses faster and more securely.
A zero trust architecture eliminates the idea of a trusted network inside a defined perimeter. In other words, it is a security model that focuses on verifying every user and device, both inside and outside an organization’s perimeters, before granting access. The zero trust model:
The zero trust approach is primarily focused on protecting data and services, but it should be expanded to include all enterprise assets (devices, infrastructure components, applications, virtual and cloud components) and subjects (end users, applications, and other non-human entities that request information from resources).
In the past, perimeter security approaches followed a simple paradigm: “Trust but verify.” While the user experience was better, evolving cybersecurity threats are now pushing organizations to reexamine their postures. In recent years, a typical enterprise infrastructure has grown increasingly complex and is outpacing perimeter security models.
Examples of these new cybersecurity complexities include:
Along with these complexities, securing the network perimeter is insufficient because apps are now on multiple cloud environments, with 81% of enterprises having apps with at least two cloud providers (IBM Mobile Workforce Report). Also, global remote work trends continue, with 65% of workers citing they would like to continue to work from home or remotely (Gallup Survey). Furthermore, global mobile workforce growth continues, as indicated by Gartner’s Why Organizations Choose a Multicloud Strategy report, which estimated there would be 1.87 billion mobile workers globally by 2022.
First, a successful zero trust model should provide visibility for all traffic – across users, devices, locations, and applications. Additionally, it should enable visibility of internal traffic zoning capabilities. You should also consider having the enhanced ability to properly secure the new control points in a zero trust environment.
The right access policy manager secures, simplifies, and centralizes access to apps, APIs, and data, no matter where users and their apps are located. A zero trust model validation based on granular context-and-identity awareness, and securing every application-access request, is key to this and should continuously monitor each user’s device integrity, location, and other application-access parameters throughout their application-access session.
Having a robust application security portfolio in a zero trust approach is also important. The right solutions can protect against layer 7 DoS attacks through behavioral analytics capability and by continuously monitoring the health of your applications. A credential protection to prevent attackers from gaining unauthorized access to your users’ accounts can strengthen your zero trust security posture. Plus, with the growing use of APIs, you need a solution that protects them and secures your applications against API attacks.
F5 leans heavily on the NIST Special Publication 800-207 Zero Trust Architecture when it comes to our efforts around zero trust, because it provides industry-specific general deployment models and use cases where zero trust might improve an enterprise’s overall information technology security posture. The document describes zero trust for enterprise security architects and aids understanding of zero trust for civilian unclassified systems. In addition, it offers a road map for migrating and deploying zero trust security concepts to an enterprise environment.
Collecting info on current assets, network infrastructure, and communications state to improve your security posture is critical to zero trust improvements. We recommend following these steps to guide your organization in this process:
F5 can specifically help you deploy an effective zero trust model that leverages our Trusted Application Access, Application Infrastructure Security, and Application Layer Security solutions. Learn more here.