Hollywood (once again) got there first. Remember those films in which shadowy figures hiss “Trust no-one!” before vanishing from the scene?
Zero trust for IT security uses a similar principle of trusting nothing, at least not until suitable verification has been carried out.
That means that there is no default trust for anything or anyone, and all network traffic is examined and classified, before being let through or blocked according to each case.
Consequently, many enterprises must not only adapt their IT infrastructure for zero trust working, but also their perception of the protection to be provided.
The zero trust model knocks the old internal/external network model on the head. Whereas previously, the so-called M&M approach was prevalent (“a hard outside and a chewy centre”), the thinking is no longer in terms of network boundaries, but instead in terms of the data in transit.
Now, all users can access the network, but not all users can access all data. The advantages include being able to incorporate public cloud computing in the private IT security plan of an enterprise, as well as mobile computing that straddles the old corporate data perimeter.
A zero trust approach also frees users from the complexity and frustration of having to use virtual private networks, not always the easiest things to access from remote coffee shops and hotel rooms.
Yet even if Hollywood said it before anybody else, zero trust IT security is already about seven years old, which in cyberworld terms makes it practically middle-aged.
Forrester Research laid claim to defining the concept, after Google made a similar change in its own IT security philosophy following a breach in 2009.
Since then, there have been a multitude of discussions on this and related themes, such as data protection for microservices and the pros and cons of approaches like RASP (runtime application self-protection).
Who’s right and who’s wrong? Find out for yourself – and remember, trust on-one!