Zero Trust: Not As Scary As It Sounds
If the term Zero Trust has been popping up in your news feed with astonishing frequency lately, you may be tempted to think that Zero Trust must be a brand-new technology cooked up in a research lab at MIT and powered by the latest artificial intelligence, machine learning, quantum computing, and a 1.21 gigawatt flux capacitor. In this and subsequent blog posts, I want to make the case that, in fact, Zero Trust is all about simplicity, and that at its core, Zero Trust is a strong form of the age-old principle of least privilege.
Zero Trust now garners significant attention, and that attention is a good thing, because Zero Trust really can deliver a better security outcome for enterprises and government agencies of all sizes. In fact, the recent Executive Order on Improving the Nation's Cybersecurity issued by the White House features Zero Trust quite prominently.
The order says, "To keep pace with today's dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take decisive steps to modernize its approach to cybersecurity." The order goes on to identify some of those steps, including "The Federal Government must adopt security best practices; advance toward Zero Trust Architecture." This order is a strong endorsement of Zero Trust and the prominent role that it can play in protecting the nation from malicious cyber actors.
The White House executive order also says that "the Federal Government must lead by example," but in some ways the private sector has already shown the way, with numerous enterprises already having implemented or already well down the path to implementing Zero Trust. We have seen many case studies, including those that we at Akamai have written about our own experience implementing Zero Trust using our own products. Maybe the earliest example that I know of comes from Google, though they didn't call it Zero Trust; they called it BeyondCorp.
Zero Trust is gathering momentum, and recently, in the wake of some high-profile cyberattacks, we have seen numerous articles that point out how a Zero Trust approach could have thwarted these attacks. In some attacks, malware gets into the enterprise by phishing or by exploiting a vulnerability in an exposed server. Once in, malware then moves laterally within the enterprise to find high-value targets. This pattern is exactly how ransomware finds a target that it can encrypt and then demand ransom for the decryption. As we see with alarming regularity, there is no lack of vulnerable and exposed servers and no lack of ransomware victims. Many of you readers can probably cite several examples off the top of your head.
Fortunately, Zero Trust really can make a difference here. The basic idea is that Zero Trust ensures that users can access only those applications that they need to access, and only after they have been strongly authenticated and authorized. In fact, with Zero Trust access, users cannot even see applications unless and until they have been authenticated and then granted access. Applications are never really exposed. In addition, with Zero Trust threat protection, users are automatically blocked from accessing phishing or malware distribution sites, and malware is automatically blocked from accessing its command and control. With these basic mechanisms, Zero Trust makes it much harder for malware to get in or spread.
At its core, then, Zero Trust is just very tight access control, ensuring that access is granted only to strongly authenticated and authorized users, and only to what is needed. Despite its name, there is nothing intimidating about Zero Trust. The concepts are simple and can be thought of as a very strong form of least privilege.