Many cyberattacks rely on the level of access legitimate users have on computer networks. Breach the perimeter and you’ve got the keys to the castle. With a zero-trust approach to security, merely getting through the door isn’t enough anymore.
Traditional Perimeter-Based Security
In a traditional security setup, there’s a built-in assumption that anyone with legitimate access credentials is a trusted actor. Remember that line from Star Wars? The one that goes, “It’s an older code, sir, but it checks out.”? That’s the sort of security we’re talking about here.
This is why you need to use a VPN for public Wi-Fi. The way Wi-Fi is designed, there’s an assumption that anyone with a Wi-Fi password is a trusted actor. They can see the activity of other network users and access network-connected devices. This is also why you should encourage the use of the guest network feature of your router instead of handing out your Wi-Fi password to everyone who visits your home!
This is sometimes referred to as “perimeter-based” security, where anyone who manages to make it inside the network’s perimeter is implicitly trusted.
Zero-trust architecture works from the assumption that no one can be trusted. This is built into how access privileges are structured and applied.
In a zero-trust system, every file, resource, service, or anything that’s on the network has its own security requirements. This means no one gets to access something if they don’t have explicit permission. It also means that just because someone is physically on your premises (plugged into an on-site Ethernet port, for example), they aren’t given access to your systems.
In a zero-trust network, everything is segmented so that even if there is a breach, access is limited to the small segment of resources to which those credentials are tied.
With zero-trust, people aren’t given indefinite access to resources either; they can access the resources they need only as long as they have a legitimate need for them.
Zero-Trust Means Lots of Authentication
Zero-trust designs include a lot of verification methods. It goes way beyond simply typing in a password. Verification can include having the right device, with the right firmware version, the right operating system version, and the right applications installed.
There are solutions that look at user behavior so that if the user on the network starts acting in a way that’s out of the ordinary for them, they’ll be flagged. Zero-trust architecture can also make use of artificial intelligence (AI) and machine learning (ML) to detect these strange patterns and revoke access privileges based on suspicion.
In the era of remote work, zero-trust security can also use physical location as a verification criterion. So if you try to access the network from an unapproved location, you’ll be blocked!
Why Is Zero-Trust Necessary?
Just as with email spoofing, credential-based attacks on networks result from systems designed under the naive assumption that everyone is on the same side. When the internet was first under development, and the only ones connected were government and academic institutions; there was little reason to implement elaborate security measures. Even if you wanted to, the computers of the day had so little memory and processing power, that it would likely be impractical.
When the foundations of network technology were being cemented, no one thought that one day every person would have one or more computers all connected to a vast world-spanning web, but that’s the reality we live in now.
Almost every day there are reports of massive data breaches or of individual people falling victim to their credentials being stolen and suffering financial or other types of damage. Using a zero-trust approach eliminates a huge swathe of hackers’ strategies and tactics to ply their trade. So don’t be surprised if you hear the term “zero-trust” a lot more at work or from the companies that provide you with online services.