There are five different pillars to implement when moving to a modern, zero-trust security model.
Employees are demanding that employers enable flexible workstyles. Apps are moving to the cloud. A company’s device and application mix are increasingly heterogeneous. All of these factors are breaking down the enterprise security perimeter, rendering traditional security approaches obsolete, and paving the way for zero-trust approaches.
Traditional security methods broadly classify everything (users, devices and applications) inside the corporate network as trustworthy. These models leverage legacy technologies, such as virtual private networks (VPNs) and network access control (NAC), to verify the credentials of users outside the network before granting access. The focus therefore is on strengthening the network perimeter and then granting full access to corporate data once credentials are successfully validated. This is sometimes referred to as the “castle and moat” approach, in which the castle refers to the enterprise holding valuable data and applications, while the moat refers to layers of protection aiming to keep potential threats out.
However, in today’s complex IT world, in which users access all types of apps (software-as-a-service, on-prem, native, virtual) from all types of devices (mobile, desktop, internet of things) and from many locations both inside and outside the corporate network, organizations need a security model that is dynamic, flexible and simple. Perhaps the most notable of the emerging security models is zero trust.
“Zero trust” is a phrase first coined by John Kindervag of Forrester in 2010 to describe the need to move security leaders away from a failed perimeter-centric approach and guide them to a model that relies on continuous verification of trust across every device, user and application. It does this by pivoting from a “trust but verify” to “never trust/,always verify” approach. In practice, this model considers all resources to be external and continuously verifies trust before granting only the required access.
This all makes sense in theory, but what does implementing zero trust look like in practical terms? When talking to customers about steps they can take to build a zero-trust security architecture, I focus on five main pillars – device trust, user trust, transport/session trust, application trust and data trust.
For More Details : https://threatpost.com/practical-guide-zero-trust-security/151912/