Zero Trust in Cyber Security

“Don’t trust anyone”. You might have heard this often in movies, and even use it in your daily lives. It is kind of sad to hear this expression because it means there are often times we could be betrayed by those whom we trusted. Unfortunately, similar things also have been happening in the world of cybersecurity, and a new terminology “Zero Trust” has become the latest cybersecurity buzz word.

Both “Zero Trust” as well as “Untrust and Always Verify” imply the principle that previously trusted things must be checked and allowed to be used only after verification. Although the IT term seems to be clearly defined, we might not understand exactly what it means when it is applied to cybersecurity in today’s society, so let’s take a real-world example.

Have any of your employees been working more from home due to COVID-19? According to a survey of 127 human resources managers conducted by the leading market research firm Gartner in June 2020, 82 percent of companies and organizations surveyed said they allow at least some work from home, while 47 percent said they allow work exclusively from home. As a result of this huge increase in the workforce working from home, there has been an accompanying huge spike in remote access to corporate internal networks via personal PCs or smartphones during the Pandemic. The problem is though, as you might already know, that individual devices can be very vulnerable to cyber-attacks. It is much more difficult to ensure security when individual devices instead of the devices managed within the corporate network are being used. This presents a challenge as we still have to work by allowing corporate server access from external individual devices of employees working from home. Then, how can we enhance the security by applying the Zero Trust principle or approach in this circumstance? Changes can be implemented in “Authentication”, or “logging in”. Authentication is used very frequently so one might think changing your authentication, your password, is a very obvious step. However, the change we mean here is setting up one or more additional steps for authentication.

Diagram of Existing and Zero Trust network setting

Diagram 1) shows the current way to access internal server from individuals working from home, and 2) shows an example of applying the Zero Trust principle to this environment. What’s the difference? In the case of the former, the authentication was directly conducted on the security equipment and then the individual can immediately access the corporate internal server. In the case of the latter example, multi-step authentication prevents immediate access to corporate internal server from untrusted devices by operating the authentication on a separate certificate server, thereby protecting against direct attacks and minimizing exposure to security threats.

This is a good start. However, in order to achieve a true Zero Trust environment for protection , the Zero Trust principle should be implemented beyond the authentication process. The multi-step authentication completely trusts users and computer devices that have previously passed the authentication, which contradicts the Zero Trust principle! Under the Zero Trust principle, we have to constantly doubt devices even after they are connected to the internal server. We need to “monitor” devices even after they have gained access to the internal server. We will cover exactly how the monitoring can be conducted in the next blog post. Then, after understanding the role of authentication, monitoring (visibility), and minimum access, one will be able to build a systematic Zero Trust environment!

Below is some background on John Kindervag who contributed to the origin of the term Zero Trust.

Zero Trust was created by John Kindervag, during his tenure as a vice president and principal analyst for Forrester Research, based on the realization that traditional security models operate on the outdated assumption that everything inside an organization’s network should be trusted.

I have served as CEO of NPCore, Inc. from November 2008 to the present with an extensive career of more than 20 years in the cybersecurity industry.