Many IBM clients want to know what exactly zero trust security is and if it’s applicable to them. Understanding the zero trust concept and how it has evolved will help you and many of our clients understand how to best implement it to protect your company’s most valuable assets.
Zero trust is a framework that assumes every connection and endpoint are threats, both externally and internally within a company’s network security. It enables companies to build a thorough IT strategy to address the security needs of a hybrid cloud environment. Zero trust implements adaptive and continuous protection, and it provides the ability to proactively manage threats.
In other words, this approach never trusts users, devices or connections for any transactions and will verify all of these for every single transaction. This allows companies to gain security and visibility across their entire business and enforce consistent security policies, resulting in faster detection and response to threats.
Zero trust began in the “BeyondCorp” initiative developed by Google in 2010. The initiative’s goal was to secure access to resources based on identity and context, moving away from the traditional perimeter-based security model. This strategy allowed Google to provide employees with secure access to corporate applications and data from anywhere, using any device, without the need for a VPN.
In 2014, Forrester Research analyst John Kindervag coined the concept zero trust to describe this new security paradigm in a report titled “The Zero Trust Model of Information Security.” He proposed a new security model that assumes no one—whether inside or outside the organization’s network—can be trusted without verification. The report outlined the zero trust model based on two primary principles: “Never trust, always verify.”
All users, devices and applications are assumed to be untrusted and must be verified before they are granted access to resources. The principle of least privilege means that every user or device is granted the minimum level of access required to perform their job, and access is only granted on a need-to-know basis.
Since then, the concept of zero trust has continued to gain momentum, with many organizations adopting its architectures to better protect their digital assets from cyber threats. It encompasses various security principles and technologies that are deployed to strengthen security and reduce the risk of security breaches.
These models are designed to work together to create a comprehensive zero trust architecture that can help organizations to reduce their attack surface, improve their security posture and minimize the risk of security breaches. However, it’s important to note that the specific types of zero trust security models and their implementation may vary depending on the organization’s size, industry and specific security needs.
Zero trust has become a popular approach to modern cybersecurity. It has been embraced by many organizations to address the growing threat of cyberattacks and data breaches in today’s complex and interconnected world. As a result, many technology vendors have developed products and services that are specifically designed to support zero trust architectures.
There are also many frameworks and standards that organizations can use to implement zero trust security principles in their cybersecurity strategies with the guidance of the National Institute of Standards and Technology (NIST).
NIST is a non-regulatory government agency at the U.S Department of Commerce, aimed at helping companies to better understand, manage and reduce cybersecurity risks to protect networks and data. They have published a couple of highly recommended comprehensive guides on zero trust:
NIST SP 800-207, Zero Trust Architecture (link resides outside ibm.com) was the first publication to establish the groundwork for zero trust architecture. It provides the definition of zero trust as a set of guiding principles (instead of specific technologies and implementations) and includes examples of zero trust architectures.
NIST SP 800-207 emphasizes the importance of continuous monitoring and adaptive, risk-based decision-making. They recommend implementing a zero trust architecture with the Seven Pillars of Zero Trust (traditionally known as the Seven Tenets of Zero Trust)
Overall, NIST SP 800-207 promotes an overall approach to zero trust that is based on the principles of least privilege, micro-segmentation and continuous monitoring, encouraging organizations to implement a layered security approach that incorporates multiple technologies and controls to protect against threats.
NIST SP 1800-35B, Implementing a Zero Trust Architecture (link resides outside ibm.com) is the other highly recommended publication from NIST and is comprised of two main topics:
The publication correlates IT security challenges (applicable to private and public sectors) to the principles and components of a zero trust architecture so that organizations can first properly self-diagnose their needs. They can then adopt the principles and components of a zero trust architecture to meet the needs of their organization. Therefore, NIST SP 1800-35B does not identify specific types of zero trust models.
NIST leverages iterative development for the four zero trust architectures they have implemented, allowing them ease and flexibility to make incremental improvements and have continuity with the zero trust framework as it evolves over time.
NIST has strategic partnerships with many technology organizations (like IBM) that collaborate to stay ahead of these changes and emerging threats.
The collaboration allows IBM prioritize development to ensure technology solutions align with the seven tenets and principles of zero trust, securing and protecting IBM clients’ systems and data.
Learn more about the importance of zero trust in IBM’s 2022 Cost of a Data Breach Report or directly connect with one of IBM’s zero trust experts.