The focus needs to be on securely authenticating users, knowing their roles and their access privileges and being able to spot abnormal user and device behavior.
Instead access needs to be based on what you know about the user, what you know about their device and what is being accessed Kemp says. The trust you assign a user cannot be based on whether that user is attempting to access an enterprise application from inside your network perimeter or outside of it. The network itself must not determine which services you can access, said Tom Kemp, CEO of Centrify. One of the key tenets to keep in mind when embarking on the path to zero trust is that nothing can have access to internal resources until it can be verifiably trusted. Pulling off the effort required support from the board level down. Along the way, the company had to redefine and restructure job roles and classifications, build an entirely new master inventory service for keeping track of devices, enable better visibility over its apps, and overhaul user authentication and access control policies. Google, one of the pioneers in this space, spent some six years moving away from its VPN and privileged network access model to BeyondCorp, its own version of a zero trust environment. Implementing a zero trust network can be challenging. All traffic-not just external-has to be monitored. "We need to wipe the idea that people are on the network," and focus instead on the packets traversing over it, he says. There can no more be any trusted networks, trusted devices or trusted people. "In zero trust everything is untrusted," says Kindervag. To be secure, organizations need to get past the notion of the trusted and untrusted user and network.
"Trust is a dangerous vulnerability that can be exploited," in such an environment says John Kindervag, former Forrester analyst and creator of the zero trust model and currently field CTO at Palo Alto Networks. The old castle-and-moat approach of gating access to internal resources via a heavily reinforced perimeter no longer works because of how scattered enterprise data has become and the many ways in which it can be accessed. A growing mobile workforce and the increasing use of cloud services to host applications and services have also made it harder for many enterprises to establish and enforce a network perimeter.
The problem lies in the long-held practice by organizations to implicitly trust users and traffic on the internal network while treating only external users as untrusted. Numerous recent data breaches have happened because conventional security controls and data leak prevention tools were unable to spot malicious activities being carried out by external actors using stolen credentials to move about freely. The model emphasizes the use of device and user credentials, rather than network location, as the basis for granting or denying access to network assets.įorrester and others have said the approach is critical to preventing attackers from moving about undetected inside a network looking for high-value targets after they have breached the perimeter.
The zero trust modelĪnalyst firm Forrester Research coined the term 'zero trust' back in 2010 to describe a security model where anyone and any device attempting to connect to a network asset is treated as untrustworthy. Organizations that want to implement the model, however, need to be prepared to jettison practices based on deeply embedded notions of trusted insiders and the secure corporate network, said security experts at SecurIT, a CSO-organized event on the topic, in San Francisco last month. The zero trust model, centered on the notion that nothing either inside or outside the network perimeter can be trusted without verification, is garnering increasing attention from enterprises struggling to prevent data breaches using conventional approaches.
0 kommentar(er)
