The movement to remote work environments has added significant changes to how organizations operate.
Employees are now accessing work-cloud environments using approved and unapproved devices through personal networks that may not be secure. Many organizations are now also becoming stewards of personal health data they previously did not collect, such as temperature checks.
With the possibility of these changes running well into the next year, CISOs and CIOs are ramping up their security efforts and talking about new security models. One such security model, Zero Trust, is changing the way we think about security.
Zero Trust helps organizations to continue operating while providing a flexible security architecture that goes beyond traditional network boundaries.
Zero Trust has recently garnered a lot of interest among many organizations. It is an evolution of traditional security models and was coined by Forrester Research in 2010. Prior to that, Jericho Forum had also proposed similar ideas.
Standards groups, like The Open Group and NIST, are actively working on this evolution of security. The Open Group, for instance, recently held a conference on Zero Trust architecture, and NIST released their latest draft for 800-207.
What is Zero Trust?
It is not a technology, but rather a framework built on the assumption that all devices and systems — even those within the network perimeter — are already compromised. It uses the guiding principle to trust no one; even if they are trusted today, there is no implicit trust tomorrow.
Traditional network-centric models of security quickly break down in this scenario. What we need to do is to move up the technology stack to focus on our application and data layers.
Zero Trust continues to expand into organizations. A 2019 IDG survey found that 47 percent of cybersecurity professionals are actively researching how to implement Zero Trust in their environments, 11 percent have employed the Zero Trust model in their environment, and a further 8 percent are piloting solutions.
Benefits of a Zero Trust security model
There are several benefits of moving away from a network-centric model to a data-centric approach for security. It enables the creation of a loosely-coupled, fine-grained security architecture.
This, in turn, allows business processes to utilize applications through several security parameters around user, application, and data. Even if a device is compromised, the data-centric security model prevents unauthorized access to the information. This provides more agility for many business scenarios — such as co-opetition, supply chain, and cloud computing.
Implementing Zero Trust in the cloud
Businesses are increasingly migrating to the cloud environment — whether through Software as a Service (SaaS) or as a platform for iterative software development in a microservices architecture (PaaS) that enables rapid delivery.
In a cloud context, Zero Trust enables the rapid scaling of computing resources based on business needs while protecting the data in a third-party infrastructure. It requires visibility into three major components: the cloud apps, access rights, and the data being stored.
Applications like Office 365 and G Suite have made collaboration in the work-from-home environment much better. These offerings however also bring with them the risk of unauthorized access to data. Securing these apps requires policy enforcement as well as prevention protocols at multiple levels — only then can data remain secure.
As mentioned earlier, several organizations are moving to cloud environments to accelerate processes. However, the delivery of business solutions must also be balanced with organizational risk. This means that applications must be built within the guardrails of a Zero Trust framework. Data stored in the cloud needs to have access protocols enforced at multiple levels. In many cases, two-factor authentication and role-based permissions are required. For organizations that build their own applications, these security requirements are integrated into the code.
Balanced Development Automation as a Zero Trust enabler
While Zero Trust is a paradigm, a Zero Trust Architecture (ZTA) applies those principles in the form of a plan that can be applied directly to the development of enterprise software and systems.
Application and data centricity
A critical aspect of ZTA is that it shifts the focus of protection from the network infrastructure to the application and data. It encompasses changes to both authentication and authorization for access to enterprise assets. Unlike perimeter-based security architectures that force enterprise applications to be deployed within a network fence, ZTA brings security into the applications and data.
Across the DevSecOps lifecycle
Balanced Development Automation enables Zero Trust because of its layered approach. Development teams can implement specific security requirements and use cases across each stage of the software development life cycle.
Operations teams can benefit from infrastructure hardening guidance. Balanced Development Automation (BDA) solutions like SD Elements are perfectly suited to help with this process by referencing official regulations, code samples, best practices and educational content specific to ZTA from a central library and identifying the items relevant to a given enterprise asset.
A key tenet of Zero Trust is the continuous monitoring and measurement of the security posture of all digital assets covered by ZTA.
BDA focuses on a continuous process of testing and monitoring against the risk status of enterprise applications. It provides a view of known vulnerabilities to assets and a reporting system that offers full visibility across the enterprise.
This approach also collects as much information as possible about the current state of digital assets that might present a risk and uses that information to improve policies, processes, and their enforcement.
BDA solutions like the SD Elements platform already offer these capabilities through pre-built integrations or custom integrations that can perform a ‘pulse check’ on the full stack applications across the DevSecOps toolchain.
Content library for security requirements
BDA solutions can provide DevOps teams with a mechanism to define organizational and asset level security, risk or compliance policies in a digital format that can be used to drive the requirements and monitor the status of key elements of a ZTA implementation.
While the ZTA implementation itself would enforce the policies in a running system, a BDA solution can ensure the rules and security logic that is required in an application are captured and assigned to the teams that build and deploy the applications in an enterprise.
Evolving practices in Zero Trust
Zero Trust is not just a buzzword — it's an evolutionary security framework that takes into account today’s highly distributed cloud and microservices applications. A traditional network-centric model does not scale effectively when we consider that, by itself, it does not easily address insider threats or external authentication breaches.
We need several layers all the way down to the data. Ideally, organizations find solutions that enable flexibility in determining security policies, that are in line with enabling the business, while managing security risk. Simply, it's focused on going fast while staying safe with a BDA solution.
Companies that currently take a balanced development approach will have a head start if they decide to adopt a Zero Trust Architecture. As best practices, designs, and implementations continue to evolve for ZTA, it should be a seamless transition to include these in existing BDA activities and monitor the implementation and effect on risk and security posture across the organization.
If you want to learn about the business value of Zero Trust security, listen to our latest podcast.
About the AuthorMore Content by Trevor Young