The evolution of zero-trust security

The zero-trust approach to enterprise cybersecurity assumes that no connections to corporate systems and networks should be trusted. It requires authentication of users, devices, and systems prior to initial connection and multiple points of re-verification before accessing networks, systems, and data.

The zero-trust security model is based on the concept of removing implicit trust and implementing strong (Identity and Access Management) IAM controls to ensure that only authorized individuals, devices, and applications have access to an organization's systems and data. This approach significantly reduces the risk of unauthorized access, insider threats, and malicious attacks.

According to a report from IAM software vendor Okta, there has been an increase in organizations adopting a zero-trust approach. The report indicates that 55% of respondents have implemented a zero-trust initiative, which is a notable increase from the 24% reported in Okta's 2021 report.

The shift from perimeter-based security to zero trust

The zero-trust approach to enterprise cybersecurity differs from perimeter-based security, which creates a boundary around an organization's IT environment using firewalls and other tools. Perimeter-based security assumes trust for all users and devices within the perimeter, providing them with broad or unrestricted access to all systems within the perimeter.

Over the past two decades, the perimeter of organizations has disintegrated due to the increase in the commercial internet, cloud computing, mobile communication, IoT, and remote-work policies. This has resulted in a significant increase in the number of employees, business partners, devices, and applications that require access to systems within the perimeter and vice versa.

To prevent organizations from being targeted by bad actors, who launch attacks that can blend in with the increasing amount of traffic, the zero trust approach eliminates implicit trust and requires authorized users, devices, and systems to prove their authorization before gaining access. This helps to limit the damage caused by such attacks and maintain security.

The zero trust approach implements various policies, IT architecture designs, and technologies, including the principle of least privilege, micro-segmentation, MFA, endpoint monitoring, and behavior analytics.

The timeline of zero-trust security

Prior to 2004, limitations in the perimeter-based approach were evident.

The traditional perimeter-based security approach was commonly used for many years, but the rise of cloud computing in the first two decades of the 21st century caused enterprises to reassess their defensive strategies. This led to a necessary shift in the approach taken by security teams.

In 2004, the seeds of zero trust are sown.

The zero trust framework has its roots in ideas presented by the Jericho Forum in 2004. This security consortium, now a part of The Open Group Security Forum, recognized flaws in the perimeter defense approach and proposed a new concept of security called "deperimeterization", which involves implementing multiple levels of security measures, such as encryption and data-level authentication.

The "zero trust" term was introduced in 2010.

Forrester Research analyst John Kindervag popularized the phrase "zero trust," suggesting that organizations should not extend trust to anything inside or outside of their perimeters.

Google releases BeyondCorp in 2011

BeyondCorp was originally developed by Google in 2009 as a response to an APT attack named Operation Aurora. Its purpose was to allow employees to work remotely without needing a VPN.

In 2018, the concept of zero trust was established with its core principles.

Forrester introduced the Zero Trust eXtended Ecosystem concept in 2018, which introduced seven core pillars for zero trust.

The National Institute of Standards and Technology (NIST) released the first version of SP 800-207, providing guidelines for the core components of zero trust architecture.

2019: ZTNA arrives

In 2019, Gartner introduced the term zero-trust network access (ZTNA) and the networking model Secure Access Service Edge (SESE) to enhance the zero-trust framework's available defense layers.

2021:

Zero trust becomes increasingly popular

According to Microsoft's "Zero Trust Adoption Report" in 2021, 96% of security decision-makers who participated acknowledged the importance of zero trust for their organizations' success.

The main reasons cited for adopting zero trust were increased security and compliance agility, as well as the need for faster threat detection and remediation. The report also noted that the expansion of remote and hybrid work options during the COVID-19 pandemic contributed to greater adoption of zero trust.

The White House releases a zero-trust strategy

Zero-trust strategies were being implemented in the private sector, and the US federal government also initiated efforts to advance zero-trust security measures in federal government agencies.

May 2021

US President, Joe Biden, issued an Executive Order focused on enhancing the nation's cybersecurity, with a particular emphasis on fortifying critical infrastructure cyber defenses. The order also included directives for the federal government to work toward a zero-trust architecture and outlined specific measures to achieve this objective.

September 2021

A draft strategy for moving the federal government toward zero trust was released by the U.S. Office of Management and Budget (OMB). Some analysts believe this puts the federal government ahead of the private sector on zero-trust implementations. The Cybersecurity and Infrastructure Security Agency (CISA) also released its Cloud Security Technical Reference Architecture and Zero Trust Maturity Model for public comment. CISA explains that it is essential for agencies to implement data protection measures around cloud security and zero trust. The agency's models are designed to guide agencies' secure migration to the cloud and help them develop their zero-trust strategies and implementation plans.

After making announcements, U.S. government agencies took appropriate action.

2022:

In January 2022, the OMB shared information about their plan to promote the federal government's zero-trust initiative.

OMB Acting Director Shalanda D. Young issued a memorandum on March 26, 2022, notifying executive department and agency heads that federal agencies must comply with specific cybersecurity standards and objectives by the end of fiscal year 2024. This is to enhance the government's defenses against sophisticated and persistent threat campaigns. Federal agencies are required to meet five zero-trust goals by the end of September 2024, which include identity, devices, networks, applications, and data.

In June 2022, CISA released the second edition of its Cloud Security Technical Reference Architecture, co-authored by two other federal agencies. The executive summary states that the purpose of the document is to aid federal entities in the adoption and implementation of zero-trust architectures.

According to the "The State of Zero Trust Security 2022" report by Okta, government organizations are currently leading the way in implementing zero trust security measures. The report found that 72% of government organizations surveyed had a defined initiative or plans to start one, compared to 55% of global nongovernment organizations.

2023 and beyond

Over the past ten years, the concept of zero trust has shifted from a security measure under consideration to a commonly utilized approach for securing organizations globally. The 2021 Microsoft report indicates that 76% of organizations have begun implementing a zero-trust strategy, while 35% believe they have fully implemented it.

The trend of organizations adopting zero trust is expected to increase. As zero trust is not a singular product sold by a specific vendor, many organizations have implemented measures that align with zero trust principles. Some may be further along this path than they are aware.

According to security experts, there is consensus that many organizations in various sectors still have room for improvement in implementing zero trust. This will require enhancements in both policy and technology tools, as well as refining deployment and utilization methods.

Federal government guidance has influenced various entities, such as state and local governments, universities, and critical infrastructure companies, to adopt the principle of verify then trust.

To facilitate the advancement of zero trust, various analyst firms and organizations have developed roadmaps for zero-trust implementation. These roadmaps provide step-by-step guidance for organizations seeking to comprehend their current zero-trust status and establish a complete verify-then-trust security stance.

Cryptomathic is a leader in cybersecurity solutions including digital identification & signatures, encryption, and mobile app security.

Contact us to discuss your requirements.