{"id":9400,"date":"2018-04-17T09:48:34","date_gmt":"2018-04-17T16:48:34","guid":{"rendered":"https:\/\/www.zubairalexander.com\/stage\/?p=9400"},"modified":"2019-12-10T14:04:57","modified_gmt":"2019-12-10T21:04:57","slug":"zero-trust-security-model","status":"publish","type":"post","link":"https:\/\/www.zubairalexander.com\/blog\/zero-trust-security-model\/","title":{"rendered":"Zero Trust Security Model – A Framework for a Different Approach"},"content":{"rendered":"

Although not new, Zero Trust information security model has been gaining popularity lately. Over the years, we have been taught a certain security model that protects our business network. I will refer to it as the\u00a0Trusted Network<\/em>\u00a0model. This model is based on the theory that the external network is not secure, while the internal network within the corporate boundaries is considered secure. However, things have changed in recent years. Businesses are getting hacked at a record pace, vendors are pushing organizations to move to the cloud; hacking, ransomware, and data theft have cost billions of dollars to millions of companies, and the public is becoming used to hacking as a part of life. This means that the Trusted Network security model is not sufficient to protect our critical systems and business assets, at least that\u2019s the conclusion made by Forrester. The proposed model by Forrester is called the\u00a0Zero Trust Model<\/a>\u00a0of information security. It\u2019s based on a philosophy to trust no one. That\u2019s right! You must not trust any traffic, internal or external.<\/p>\n\n\n\n
According to the\u00a02017 Annual Cybercrime Report<\/a>\u00a0by Cybersecurity Ventures, \u201ccybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, and will be more profitable than the global trade of all major illegal drugs combined.\u201d<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

What is Zero Trust Model?<\/strong><\/h4>\n

A Zero Trust architecture changes access controls from the corporate network perimeter to individual devices and users, called endpoints. A business can have the best security measures to guard the network against outside intruders, but the attacker can enter the corporate network easily using many different techniques. A Zero Trust model definitely has its appeal because it focuses on protecting the network endpoints<\/em>, rather than network security boundaries on the perimeter<\/em>.<\/p>\n

\"Zero<\/a><\/p>\n

My Take on Zero Trust Model<\/strong><\/h4>\n

We live in a connected world where we have to collaborate not just with other employees, but also customers, vendors, partners, etc. I think the Zero Trust model makes sense in today\u2019s world, especially because of the large number of major data breaches that bypass the defined corporate perimeter. However, this model may not be practical for every organization. It may require replacing legacy applications, updating custom programs, or updating the network infrastructure, all of which come at a cost. In addition to the cost and complexity issues, monitoring endpoints closely also raises some serious privacy issues.<\/p>\n

After a repeal of an existing privacy law, Internet Service Providers (ISPs) are now able to legally sell our personal data without our consent. According to the\u00a0New York Times<\/a>, \u201cThe change will allow broadband internet service suppliers, such as cable and telecommunications companies, to track and sell a customer\u2019s online information with greater ease.\u201d<\/p>\n

Forrester<\/a> claims that \u201cThere is no chance of violating Civil Liberties – Zero Trust focuses on keeping internal data safe and would not result in any foreseeable\u00a0encroachment on Civil Liberties.\u201d It\u2019s hard to believe that monitoring and logging all network traffic going in and out of the endpoints doesn\u2019t encroach on Civil Liberties.<\/p>\n

Change takes time. Trying to convince businesses to move from the traditional \u201cTrust but Verify\u201d security model to the new Zero Trust model that has a philosophy \u201cVerify and Don\u2019t Trust\u201d won\u2019t happen overnight. Everyone knows the advantages of moving from IPv4 to IPv6, but we still haven\u2019t made it a high priority to switch things over completely after all these years. As the cost of network breach continues to increase, corporations will eventually turn around and make Zero Trust a higher priority.<\/p>\n

Over time, implementing a Zero Trust model would become more affordable and will hopefully also address the privacy concerns. Privacy and security go hand in hand and you can\u2019t really have one without the other.<\/p>\n

A Real World Example<\/strong><\/h4>\n

Forrester developed the Zero Trust model in 2010 and envisioned the model to be a vendor-neutral design so it is not tied to a specific technology or vendor.<\/p>\n

Google decided to incorporate Forrester\u2019s Zero Trust model into its \u201cBeyondCorp\u201d initiative whose mission is \u201cTo have every Google employee work successfully from untrusted networks without use of a VPN.\u201d BeyondCorp is now available as a GCP service called Identity-Aware Proxy (IAP). According to Google<\/a>:<\/p>\n

\u201cBeyondCorp is an enterprise security model that builds upon 6 years of building zero trust networks at Google, combined with best-of-breed ideas and practices from the community. By shifting access controls from the network perimeter to individual devices and users, BeyondCorp allows employees to work more securely from any location without the need for a traditional VPN.\u201d<\/em><\/p>\n

The critics say that Google\u2019s BeyondCorp initiative forces businesses to become a Google shop. According to\u00a0CSO Magazine<\/a>, \u201cIf you want to implement Zero Trust today, you can buy and implement Google\u2019s Beyond Corp as a service, but they lock you in to using everything Google (Google Cloud, Google Identity, the entire G Suite, and all users must be on Chromebooks).\u201d This violates one of the fundamental goals of Zero Trust model because Forrester envisioned this security model to be vendor-neutral. By trying to lock businesses into Google\u2019s own proprietary technologies, it seems like what Google has done with BeyondCorp is the exact opposite of what Forrester had in mind. This is a matter of concern and hopefully other companies won\u2019t follow this path.<\/p>\n

\"Zero<\/a><\/p>\n

What Will Not Change with Zero Trust Model<\/h4>\n

In the current Trusted Network model, the humans are the weakest link in cybersecurity. Cybersecurity awareness training is key to protecting a corporate network, because every single employee, from an intern to the CEO, is at risk of becoming a social engineering victim. When businesses implement a Zero Trust model, the need for cybersecurity awareness training won\u2019t go away. Because the focus would be on endpoints, employees would have to become even more aware of cybersecurity threats because they won\u2019t be inside a secure bubble that\u2019s safe from the external attacks. The mobile device usage is only increasing, causing massive challenges for IT departments. The wireless devices are more prone to cyberattacks and the smartphones and Internet of Things (IoTs) are a good excuse for organizations to implement a Zero Trust model. Therefore, the need for cybersecurity awareness training would only increase in future and Zero Trust model will not eliminate or reduce such training.<\/p>\n

As far as cybersecurity strategy is concerned, my recommendation to my clients is to implement Cybersecurity Awareness Training<\/a> as part of the overall\u00a0Cybersecurity Awareness & Training Program<\/em>.\u00a0Make sure that employees go through this training every year to keep up with the latest cybersecurity threats and changes in the industry. This will create a\u00a0security culture<\/em>\u00a0that will continue to benefit the organization for years down the road.<\/p>\n\n\n\n
Thanks for reading my article. If you are interested in IT training & consulting services, please reach out to me. Visit ZubairAlexander.com<\/a> for information on my professional background.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
\n

Copyright \u00a9 2018 SeattlePro Enterprises, LLC<\/a>. All rights reserved.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Although not new, Zero Trust information security model has been gaining popularity lately. Over the years, we have been taught a certain security model that protects our business network. I will refer to it as the\u00a0Trusted Network\u00a0model. This model is based on the theory that the external network is not secure, while the internal network […]<\/p>\n","protected":false},"author":7,"featured_media":9407,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[43,78,24],"tags":[],"class_list":["post-9400","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-articles","category-privacy","category-security"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2018\/02\/zero-trust-network-architecture.png","_links":{"self":[{"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/posts\/9400","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/comments?post=9400"}],"version-history":[{"count":0,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/posts\/9400\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/media\/9407"}],"wp:attachment":[{"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/media?parent=9400"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/categories?post=9400"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/tags?post=9400"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}