Why companies are moving to a ‘zero trust’ model of cyber security


The latest catchphrase in cyber security might as well be “don’t trust anyone — or anything.”

The zero trust model of security, which takes the approach that no users or devices are to be trusted without continuous verification, continues to gain momentum as organizations look to stay ahead of bad actors and avoid breaches.

Given what’s going on in Ukraine, the accompanying world tensions, and the constant concerns about Russian-sponsored hackers, the time for such an approach to cyber security seems especially fitting.

The term “zero trust” has taken on multiple meanings as vendors scramble to take advantage of the high interest level. But the definition the National Institute of Standards and Technology (NIST) puts forth is likely the most accepted: “Zero trust is the term for an evolving set of cyber security paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location.”

With zero trust, authentication and authorization are discrete functions that cybersecurity teams perform before granting access to any digital resources. It’s become far more important in the age of remote/hybrid work, the rise in cloud services and ubiquitous mobile devices.

Growth in the market

Demand for products that support zero trust is on the rise. Research firm Markets and Markets projects that the global zero trust security market will grow from $19.6 billion in 2020 to $51.6 billion by 2026. The major factors driving the market include the growing frequency of target-based cyber attacks and increasing regulations for data protection and information security.

Attackers that have a specific target in mind go after end-point devices, networks, cloud-based applications, and other IT infrastructure components. The primary motive behind such attacks is to steal critical information, the report said. These attacks can result in business disruptions, intellectual property theft, financial loss, and loss of critical and sensitive customer information.

The U.S. federal government is making a big push toward zero trust. In January, the Office of Management and Budget released a memorandum that mandates a federal zero trust architecture (ZTA) strategy, requiring agencies to meet specific cyber security standards and objectives by the end of fiscal year 2024.

The goal of the initiative is to reinforce the government’s defenses against increasingly sophisticated and persistent threat campaigns, OMB said. “Those campaigns target federal technology infrastructure, threatening public safety and privacy, damaging the American economy, and weakening trust in government,” the agency said.

In the current threat environment, the federal government can no longer depend on conventional perimeter-based defenses to protect critical systems and data, according to the memorandum. A transition to a zero trust approach to security provides a defensible architecture for this new environment.

Also in January, the U.S. Defense Information Systems Agency (DISA) awarded a $6.8 million contract to Booz Allen Hamilton to execute Thunderdome Prototype, a zero trust security platform that it said aligns with a May 2021 executive order from the White House aimed at improving the nation’s cyber security.

During the six-month effort, the agency will test how to implement DISA’s Zero Trust Reference Architecture, which it published in March 2020 for the Department of Defense. It will do this by deploying technologies such as secure access service edge (SASE) and software-defined wide area networks (SD-WAN).

Thunderdome will also incorporate enhanced cyber security focused on data protection, and integrate with existing endpoint and identity management initiatives that are part of the zero trust effort.

DISA said Thunderdome will greatly help to defend and guard systems against sophisticated adversaries, and help modernize the agency’s cyber security infrastructure as well as improve user access to cloud-hosted applications. The deployment of Thunderdome as a new security model will achieve DoD’s overall goals to integrate network and security solutions in the cloud and enhance the protection of end-user devices, DISA said.

Aside from the recent government actions, there are three key trends underway with zero trust, says David Holmes, a senior analyst at Forrester Research focused on security and risk.

The first is that organizations are centralizing and improving their approach to identity management, which is a key component of the zero trust architecture. More are implementing technologies such as identity and access management, multi-factor authentication and single sign-on.

The second trend began during the pandemic, when organizations replaced their virtual private network (VPN) access with zero trust network access (ZTNA). “We talked with 43 organizations using ZTNA, and of those 26 said they had migrated away from VPN toward zero trust for better performance,” Holmes says.

And the third trend is a return to looking for improved security of local networks with zero trust, using technologies such as microsegmentation. “Some of these efforts were underway prior to the pandemic, but were put on hold during that time and organizations are starting to look at it again,” Holmes says.

Use cases for zero trust

There are two main use cases for zero trust among organizations today, Holmes says. One is pushing toward an overall zero trust security strategy, and the other is solving one or two specific problems—such as access — with zero trust.

“My advice to the first group, who are finding themselves in the throes of roadmap creation, is to do a zero trust gap analysis and then prioritize subprojects” such as identity and access management, multi-factor authentication, single sign-on, ZTNA and microsegmentation, Holmes says.

For the second group looking to address specific, tactical problems, Holmes advises that organizations make sure that their zero trust deployments are actually followed through and that the conventional systems they replace are indeed retired.

“For example, instead of just buying and deploying, ZTNA, ensure that [the] VPN is also deprecated,” Holmes says. “If a microsegmentation project is deployed, ensure that it gets put into enforcement mode and not just alerting mode.”

Regardless of the approach, it seems that zero trust as a cyber security approach is here for the long haul.