There is too much talk about Zero Trust especially post COVID-19 pandemic. There are several questions such as
What is Zero Trust?
“Zero Trust” isn’t new; it is more than 10 years old. Why so much discussion on this topic?
Is this a tool or concept?
If you are of my generation, you would probably remember that once upon a time - we use to be given “cubicles” with CRT monitors. We use to start our day in the morning, complete the work and shut down the computers before leaving for the day. Our professional life was confined to the physical office space. Nothing moved out of the office building.
Then, some of us were provided with laptops so that we can contribute even better; maybe to support late-night meetings with colleagues and customers located on the other side of the globe; to get a bit of flexibility etc. Some of us were allowed to connect to the office network via VPN and a few others were allowed to connect via Citrix clients and so on. With this, part of the “work” moved out of the physical office building and jelled well with our personal space. The office became another nice family member.
A few years later, we thought why not allow employees to check emails on their personal devices to increase productivity further. There came BYOD or Bring Your Own Device. So, a nice new family member called “office” even started accompanying us even during our vacations.
Then came COVID-19 forcing us to stay home. Even the organizations averse to work from home culture were forced by the circumstances to ask their employees to work from home as a survival resort. Gartner forecasted in Jun’21 that 51% of the Global Knowledge workforce would be remote by the end of 2021. Although employees have started returning to the office, it will not be a 100% office scenario, rather it will be a hybrid scenario i.e. 2 to 3 days a week from the office and rest from home.
At the same time, Cloud adoption by organizations has been picking up quite well. Another parallel phenomenon, wherein IT applications and data are being hosted outside the Organization Network perimeter in the form of SaaS (Software as a Service), IaaS (Infrastructure as a Service), PaaS (Platforms as a Service) and many other Cloud services
.
These phenomena have given rise to several Identity Access Management (IAM) use cases such as:
Employees working within the “Office” building accessing the applications and data hosted within the company-owned Data Centers
Employees working from home or vacationing need access to applications and data hosted within the company-owned Data Centers
Employees need access to applications hosted on public cloud, while Virtual Private Cloud (VPC) is controlled by the Company
Employees needing access to SaaS applications, which are neither hosted on public Cloud nor company-owned Data Centers
Employees needing access to applications hosted on Private Cloud
Looking at this closely, the traditional definition of “network perimeter” has become very much opaque. Hence, the assumption that everything “within” the “network perimeter” is “secure” has weakened. The employees or entities staying behind the so-called “office firewall” were granted higher access privileges traditionally. This is with the assumption that access requests originating behind the office firewall or within the network perimeter are trustworthy, whereas access requests originating outside the office firewall are not trustworthy. With the dilution of “network perimeter” itself, the assumption around what can be and what can’t be trusted needs revisit. This is where “Zero Trust” comes into the picture.
Zero Trust is a concept; it is neither a product nor a tool nor a solution. This was conceptualized in 2009 by Forrester alum John Kindervag. The Concept of Zero Trust is that don’t trust anyone irrespective of whether the user is behind the office firewall or somewhere else. Although I would love to have a one-stop solution to this problem, there isn’t any. Like any other security implementation, we need to take step by step approach starting from strategy to implementation in adopting zero trust.
For now, will cover high-level conceptual aspects of Zero Trust based on NIST publication (NIST Special Publication 800-207)
Everything is considered resource covering data, devices, compute services
Secured Communication: Irrespective of whether behind the firewall or not- ensure secure communication
Session-based contextual access permissions based on dynamic policies
Continuous Monitoring
Strong authentication and dynamic authorization
In this blog post, I have tried to explain what Zero Trust is and how is it relevant considering how our work environment has evolved. While Zero Trust coverage on this blog post is largely conceptual, I will be covering the practical implementation considerations for a large organization on my separate blog. I have tried to focus more on our work set-up journey correlating to the Zero Trust concept rather than repeating the conceptual details, which you will find in any of the renowned publications such as from NIST.