As we see more products and solutions are labeled with “Zero Trust”, it is important to look beyond those advanced technologies, and marketing terms of course, and examine what customers can actually get.
Challenges prompting the adoption of “Zero Trust” have been generally understood as mobile workforce, BYOD (bring your own device), cloud service, and insider threats. While insider threats are highlighted from a security perspective, a good “Zero Trust” solution should facilitate the advancement of business as well as improving user experience and productivity.
Business first.Security has always been taken as a cost center, and just like any other solution, the cost to deploy “Zero Trust” solution shall be outweighed by the benefit it introduces. More than that, we shall expect a “Zero Trust” solution to really empower the business, as an enabler to free users and administrators from the inconveniences and worries along with the adoption of mobile workforce, BYOD and cloud services. Make it work, and make it simple.
- Users can always get access to legitimate resources, from anywhere, on any device, at anytime
- Resources can be introduced and managed according to business requirements, at any place, from any vendor, in any form
- Administrators can have sufficient control, e.g. setting fine-grained policies, and full visibility, knowing what is happening and what to do next
Flexibility and scalability.When we talk about obsoleting perimeter-based security, the major driven forces are mobile and cloud, and the openness as well as dynamics along. Business benefits from them, thus any “Zero Trust” solution has to live with them, and a good solution is expected to promote them.
- In order to get access to some critical resources, it may be mandatory for users to be from certain location, at certain time and using certain devices, but certainly this does not apply to all users and all resources. A good “Zero Trust” solution should also be able to allow a user to do some work even when she is on vacation and using some friend’s smart phone.
- While “Zero Trust” solutions go with centralized management, users and resources are distributed across different locations. While the business may request to adding or removing locations or capacities, a good solution should support elastic deployment, to scale up or down, and be resilient to provide continuous service.
Just enough.At the core of “Zero Trust” is the principle of least privilege. While a lot of “Zero Trust” solutions claims to have dynamic access control and continuous risk assessment, a good solution will be more proactive at reducing attack surface and managing information disclosure. Trust is privilege, knowledge is power.
- A key reason to introduce “Zero Trust” solution is that, along with the adoption of mobile and cloud, the attack surface of an enterprise network is too broad and vague to set up perimeter-based defense. As a result, SDP (software defined perimeter) was introduced, significantly reducing the attack surface, and soon became popular in “Zero Trust” solutions. Although some “Zero Trust” solutions may not strictly follow the SDP specification from CSA (Cloud Security Alliance), reducing the attack surface is a common goal. A good solution can reduce the attack surface to a minimum level and have it clearly defined for visibility and maintenance.
- When talking about the privilege to access some resource, we usually focus on whether to grant access and what actions will be allowed or blocked; however, information about the resource, such as the address, the host name, or some attributes referring to the organization or network structure, can be very useful when an attacker tries to penetrate into the network and cause damage. While enabling users to get jobs done, a good “Zero Trust” solution should empower administrators to control what information will be presented to users as well as administrators, just enough information and changing in different situations.
Even though the adoption is still in early stage, it is getting clear that “Zero Trust” is the next big thing in security. I am pretty optimistic to see the networking infrastructure of most enterprises will be evolving and finally rebuilt with good “Zero Trust” solutions.