As the heir apparent to traditional perimeter-based security architectures, zero-trust networking has the potential to fundamentally change the way security is done in the coming years – though it won’t be easy, and there is a lot of work to be done.
Historically, the fundamental security model was to erect a ‘perimeter’ around the corporate network and assume anyone inside was ‘trusted’ and anyone on the outside was ‘untrusted.’ Cue worn out security clichés and metaphors: ‘crunchy on the outside, soft and chewy on the inside,’ ‘moat and castle,’ among others. This model has come under increasing attack for two primary reasons: the perimeter has become less effective, and the perimeter has become less relevant.
In the former category, the obvious charge is that attackers have become quite adept at bypassing network security controls by direct attacks, but also increasingly by phishing, social engineering or by attacking third parties with network access as the weakest links in the chain. The growing use of encrypted traffic has also created a significant blind spot for security approaches that rely on inspecting network traffic. And under this model, once they get inside, attackers have pretty much free rein to move laterally until they find the high-value targets they are after.
In the latter, there is the matter of the rise of mobile computing and BYOD as well as cloud-based applications. Further, our users are no longer behind the firewall. Employees may work from home permanently, or maybe for just a few days a week, or maybe at night or on the weekends. And the definition of what constitutes an ‘employee’ is changing – modern firms increasingly rely on part-time contractors, outsourcers, 1099 employees or others in addition to traditional employees who sit behind a desk in the office five days a week. To take an extreme example, a user (employee, partner, supplier, etc.) could be accessing a corporate application hosted in the cloud (maybe a SaaS app or a custom app built on IaaS, PaaS or private cloud) with an unmanaged device from a Starbucks – at no point will either the user or the device traverse the internal network or network security controls.
Such criticism is certainly not new, and claims that ‘the perimeter is dead’ are likely overcooked since things like firewalls and IPS devices will never go away. Yet despite the obvious limitations of the perimeter-based approach, we still spend a large percentage of our security budgets on network-based approaches to security. However, a new model that does away with the notion of ‘inside’ and ‘outside,’ and more importantly, the very notion of ‘trust,’ is rapidly gaining attention. In this new model, nothing is assumed to be trusted and access to resources is based more on who the user is than where the user is. This new model currently goes by a variety of names, including ‘zero
This Technology & Business Insight report on zero trust and the challenges and impact on the overall practice of cybersecurity is based on a combination of insights and data gathered through direct interviews with each of the vendors mentioned in the report (with a few exceptions) spanning a wide variety of vertical applications and our analysts' deep experience in the cybersecurity industry. The full report includes:
- The history of Zero Trust: examine the various components, use cases, benefits and challenges of Zero Trust including a look at the 'Zero-Trust Funding Conundrum'
- M&A trends and partnership landscape: a look into these UAC trends that will drive further convergence in the ecosystem