Part 1 of 2
In 2010, Forrester introduced the concept of the “The Zero Trust Network.” Essentially Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything that tries to connect to its systems before granting access. It is a fundamentally different approach that challenges organizations to change their thinking about holistic security.
Now, seven years later, CIOs, CISOs and other corporate executives are starting to embrace Zero Trust as the breakthrough for effectively preventing and stopping large scale breaches.
At Waverley Labs, we commend Forrester for introducing the “trust nothing, verify everything” approach. But it should be noted that Zero Trust has key limitations and should be redefined to be truly effective.
According to Forrester, there are three main concepts of Zero Trust:
- When you eliminate the concept of trust from the network, it becomes natural to ensure that all resources are securely accessed — no matter who creates the traffic or from where it originates. You’ll ensure all resources are accessed securely, regardless of location or hosting model including cloud, on-premises or collocated resources.
- By adopting a least privilege strategy (LPS) that enforces access control, you eliminate the human temptation to access restricted resources.
- Zero Trust allows you to continuously inspect user traffic for signs of suspicious activity and log and analyze all network traffic. This detects unauthorized access attempts, reduces noise for improved security analyst efficiency and provides compliance reporting needed in today’s highly regulated landscape.
The fundamental problem is that Forrester’s definition of Zero Trust addresses security and access controls from a network perspective. At the same time, it’s interesting to see that Zero Trust solutions are increasingly employing Software Defined Perimeters (SDP) that are similar in definition but with one very important differentiation. SDPs go one step further rendering the infrastructure invisible to all but authorized users.
A software-defined perimeter (SDP) dynamically creates one-to-one connections between every authorized device, user and the data they access. It addresses the perimeter-less enterprise and is built on three core principles:
Check back next week. In Part 2 I will describe how an SDP is the only way to effectively accomplish Forrester’s concept of Zero Trust.