HOME

TheInfoList



Click Here for Items Related To - Zero Trust Networks
OR:
Zero Trust Networks on:   [Wikipedia]   [Google]   [Amazon]

Zero trust architecture (ZTA) or perimeterless security is a design and implementation strategy of
IT system Information technology (IT) is a set of related fields within information and communications technology (ICT), that encompass computer systems, software, programming languages, data and information processing, and storage. Information technolo ...
s. The principle is that users and devices should not be trusted by default, even if they are connected to a privileged network such as a corporate
LAN Lan or LAN may refer to: Science and technology * Local asymptotic normality, a fundamental property of regular models in statistics * Longitude of the ascending node, one of the orbital elements used to specify the orbit of an object in space * ...
and even if they were previously verified. ZTA is implemented by establishing identity verification, validating device compliance prior to granting access, and ensuring least privilege access to only explicitly-authorized resources. Most modern corporate networks consist of many interconnected zones,
cloud services Cloud computing is "a paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual resources with self-service provisioning and administration on-demand," according to ISO. Essential characteristics ...
and infrastructure, connections to remote and mobile environments, and connections to non-conventional IT, such as IoT devices. The traditional approach by trusting users and devices within a notional "corporate perimeter" or via a
VPN Virtual private network (VPN) is a network architecture for virtually extending a private network (i.e. any computer network which is not the public Internet) across one or multiple other networks which are either untrusted (as they are not c ...
connection is commonly not sufficient in the complex environment of a corporate network. The zero trust approach advocates
mutual authentication Mutual authentication or two-way authentication (not to be confused with two-factor authentication) refers to two parties authenticating each other at the same time in an authentication protocol. It is a default mode of authentication in some prot ...
, including checking the identity and integrity of users and devices without respect to location, and providing access to applications and services based on the confidence of user and device identity and device status in combination with user
authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an Logical assertion, assertion, such as the Digital identity, identity of a computer system user. In contrast with iden ...
. The zero trust architecture has been proposed for use in specific areas such as supply chains. The principles of zero trust can be applied to data access, and to the management of data. This brings about zero trust
data security Data security or data protection means protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyberattack or a data breach. Technologies Disk encryption ...
where every request to access the data needs to be authenticated dynamically and ensure least privileged access to resources. In order to determine if access can be granted, policies can be applied based on the attributes of the data, who the user is, and the type of environment using Attribute-Based Access Control (ABAC). This zero-trust data security approach can protect access to the data.


History

In April 1994, the term "zero trust" was coined by Stephen Paul Marsh in his doctoral thesis on computer security at the
University of Stirling The University of Stirling (abbreviated as Stir or Shruiglea, in post-nominals; ) is a public university in Stirling, Scotland, founded by a royal charter in 1967. It is located in the Central Belt of Scotland, built within the walled Airth ...
. Marsh's work studied trust as something finite that can be described mathematically, asserting that the concept of trust transcends human factors such as
morality Morality () is the categorization of intentions, Decision-making, decisions and Social actions, actions into those that are ''proper'', or ''right'', and those that are ''improper'', or ''wrong''. Morality can be a body of standards or principle ...
,
ethics Ethics is the philosophy, philosophical study of Morality, moral phenomena. Also called moral philosophy, it investigates Normativity, normative questions about what people ought to do or which behavior is morally right. Its main branches inclu ...
,
lawful Law is a set of rules that are created and are enforceable by social or governmental institutions to regulate behavior, with its precise definition a matter of longstanding debate. It has been variously described as a science and as the art ...
ness,
justice In its broadest sense, justice is the idea that individuals should be treated fairly. According to the ''Stanford Encyclopedia of Philosophy'', the most plausible candidate for a core definition comes from the ''Institutes (Justinian), Inst ...
, and
judgement Judgement (or judgment) is the evaluation of given circumstances to make a decision. Judgement is also the ability to make considered decisions. In an informal context, a judgement is opinion expressed as fact. In the context of a legal tria ...
. The problems of the Smartie or M&M model of the network (the precursor description of
de-perimeterisation In information security, de-perimeterisation is the removal of a boundary between an organisation and the outside world. De-perimeterisation is protecting an organization's systems and data on multiple levels by using a mixture of encryption, sec ...
) was described by a
Sun Microsystems Sun Microsystems, Inc., often known as Sun for short, was an American technology company that existed from 1982 to 2010 which developed and sold computers, computer components, software, and information technology services. Sun contributed sig ...
engineer in a
Network World International Data Group (IDG, Inc.) is an American market intelligence and demand generation company focused on the technology industry. IDG, Inc.'s mission is centered around supporting the technology industry through research, data, market ...
article in May 1994, who described firewalls' perimeter defence, as a hard shell around a soft centre, like a Cadbury Egg. In 2001 the first version of the OSSTMM (Open Source Security Testing Methodology Manual) was released and this had some focus on trust. Version 3 which came out around 2007 has a whole chapter on Trust which says "Trust is a Vulnerability" and talks about how to apply the OSSTMM 10 controls based on Trust levels. In 2003 the challenges of defining the perimeter to an organisation's IT systems was highlighted by the
Jericho Forum The Jericho Forum was an international group working to define and promote de-perimeterisation. It was initiated by David Lacey from the Royal Mail, and grew out of a loose affiliation of interested corporate CISOs (Chief Information Security Offic ...
of this year, discussing the trend of what was then given the name "
de-perimeterisation In information security, de-perimeterisation is the removal of a boundary between an organisation and the outside world. De-perimeterisation is protecting an organization's systems and data on multiple levels by using a mixture of encryption, sec ...
". In response to
Operation Aurora Operation Aurora was a series of cyber attacks performed by advanced persistent threats such as the Elderwood Group based in Beijing, China, with associations with the People's Liberation Army. First disclosed publicly by Google (one of the vic ...
, a Chinese APT attack throughout 2009,
Google Google LLC (, ) is an American multinational corporation and technology company focusing on online advertising, search engine technology, cloud computing, computer software, quantum computing, e-commerce, consumer electronics, and artificial ...
started to implement a zero-trust architecture referred to as
BeyondCorp BeyondCorp is an implementation, by Google, of zero-trust computer security concepts creating a zero trust network. Background It was created in response to the 2009 Operation Aurora. An open source implementation inspired by Google's resear ...
. In 2010 the term zero trust model was used by analyst John Kindervag of
Forrester Research Forrester Research, Inc. is a research and advisory firm. Forrester serves clients in North America, Europe, and Asia Pacific. The firm is headquartered in Cambridge, Massachusetts, Cambridge, MA with global offices in Amsterdam, London, New D ...
to denote stricter cybersecurity programs and access control within corporations. However, it would take almost a decade for zero trust architectures to become prevalent, driven in part by increased adoption of mobile and cloud services. In 2018, work undertaken in the
United States The United States of America (USA), also known as the United States (U.S.) or America, is a country primarily located in North America. It is a federal republic of 50 U.S. state, states and a federal capital district, Washington, D.C. The 48 ...
by cybersecurity researchers at
NIST The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical s ...
and NCCoE led to the publication of NIST SP 800-207 – Zero Trust Architecture. The publication defines zero trust (ZT) as a collection of concepts and ideas designed to reduce the uncertainty in enforcing accurate, per-request access decisions in information systems and services in the face of a network viewed as compromised. A zero trust architecture (ZTA) is an enterprise's cyber security plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan. There are several ways to implement all the tenets of ZT; a full ZTA solution will include elements of all three: * Using enhanced identity governance and policy-based access controls. * Using micro-segmentation * Using overlay networks or software-defined perimeters In 2019 the United Kingdom National Cyber Security Centre (NCSC) recommended that network architects consider a zero trust approach for new IT deployments, particularly where significant use of cloud services is planned. An alternative but consistent approach is taken by NCSC, in identifying the key principles behind zero trust architectures: * Single strong source of user identity * User authentication * Machine authentication * Additional context, such as policy compliance and device health * Authorization policies to access an application * Access control policies within an application


See also

* *
Blast radius ''Blast Radius'' is a space combat simulator video game A video game or computer game is an electronic game that involves interaction with a user interface or input device (such as a joystick, game controller, controller, computer keybo ...
*
Password fatigue Password fatigue is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to log in to a computer at work, undo a bicycle lock or conduct banking from an autom ...
*
Secure access service edge A secure access service edge (SASE) (also secure access secure edge) is technology used to deliver wide area network (WAN) and security controls as a cloud computing service directly to the source of connection (user, device, Internet of things (I ...
* Identity threat detection and response


References

{{reflist Information technology Computer network security