Fact: The Cloud Simplifies Zero-Trust Transitions
Zero trust requires that you rethink the connections between everyone and everything, including systems sitting next to each other in a data center. You can definitely build a zero-trust security model in an existing on-premises data center, if your network and application teams can cooperate.
However, many IT groups find that adding in security barriers to replace a network free-for-all inside an office building or an existing data center to be very challenging. When applications are forklifted out of the data center and moved to the cloud, it presents a natural opportunity to put in the security barriers that zero trust requires. For forward-looking IT groups, a cloud deployment is the ideal time to start deploying a zero-trust model at both the network and the application layers.
Fact: Zero Trust Makes A VPN Unnecessary
With zero trust, all user-to-server communication channels should be controlled, authenticated and authorized. (The same goes for server-to-server communications as well.) In the 1990s, the standard tool to do this was an IPSec VPN, and that tool still has its place in the IT manager’s toolbox to solve problems with legacy applications or very small or specialized user communities.
But the zero-trust idea of control, authentication and authorization doesn’t really overlay perfectly with typical IPSec VPN implementations, because they typically have weak controls, broad-based authentication and no authorization model at all.
Instead, application-specific encryption provides protection against eavesdropping or man-in-the-middle attacks, while also delivering a strong authentication model. Of course, you can always layer that on top of a VPN connection — and many IT leaders may choose to do that during a transition period or to accommodate legacy applications. But over the long term, the combination of application-specific authentication and encryption along with a move of many applications to cloud hosting services spells the end of VPNs for general purpose access to corporate networks.
Fallacy: Zero Trust Is a User-Focused Security Initiative
Zero trust is not just about users. It’s about not trusting anyone or anything just because of where they are. What this means is that users who are on corporate Wi-Fi shouldn’t be trusted any more than users who are connecting from their home offices.
In early days of networked computing, security professionals rallied around the expression “a crunchy shell around a soft, chewy center” to describe network security. Firewalls were used to provide the crunch in the form of access controls. Things outside the “chewy center” had strong access controls, but everything inside the firewalls was implicitly trusted.
Zero trust sweeps away this idea. Instead, every server, every network access point and every application should have its own crunchy shell that provides the services of access control, typically coupled with authentication and authorization.
Fallacy: Zero Trust Is Just Another Buzzword Designed to Sell Security Products
Zero trust isn’t a marketing ploy. Companies around the globe are being hit hard with data breaches and break-ins. Post-mortems around most of these security incidents come to a simple conclusion: We trusted someone or something that we shouldn’t have, and that’s how the breach occurred.
In the data center, not every server joined to a Windows domain is equally well managed and protected — but when the weakest server becomes an entry point for cybercriminals, the nature of the trust relationship in the data center makes it easy for attackers to move laterally to other systems, escalating privileges and access as they go.
The same is true for end users. Just because an end user’s PC is connected to the network in your headquarters doesn’t mean the user can be trusted to connect to every bit of network and server infrastructure on the corporate campus.
Getting rid of this overly generous model of trust in corporate networks dramatically reduces the risk of data breach and system compromise. That’s no buzz — it’s a better way to design and run an organization’s applications and infrastructure.