Access can be given after successful authentication, but in a restricted manner, just like in real life. Zero Trust means that lack of authentication means no trust is given at all.
Any access to any resources by any user or machine must be authenticated and authorized independently of whether the resource tried to be accessed from inside or outside of the organization’s private network. This means that the way we defend the assets of the organization should change. In the age of virtual private networks (VPN) and cloud services, private resources can be obtained very easily from the internet, as there are no definite perimeters, with just a small number of entry points. Before, there was a dogma that it was hard to obtain access to private resources from outside the private network, so successfully authenticated users could access any resources on the private network.
There are significant changes in perimeter approach which makes the rise of Zero Trust quite timely. Zero Trust Architecture is looking to overtake this old-fashioned perimeter approach.
You are trusted if you are inside the perimeter – this could be the motto of any malware developer. In the castle-and-moat mode, if the authentication is circumvented at the entry point there are no other mechanisms to prevent malicious activity, as you are inside the perimeter. However, it is well-known, as it was in the medieval period, that there is a much easier and more profitable way than a siege, namely sabotage. Both attacking and defending armies were mostly focused on the entry point, just like red and blue teams are focused on network defense tools in this castle-and-moat (network) security model. The defense of an area with definite boundaries and the assets concentrated behind the walls of the fortress. This way of thinking bears the strategic approach of the late medieval and early modern period. Before, common sense was that a private network has definite perimeters with a small number of entry points, and the goal was to protect them. Though it can be facilitated by one or more products, it primarily necessitates a change in approach. It should be pointed out that Zero Trust is not a product, but a model. But what are these theories and practices and why they are so important? Let’s take a look. The publication of NIST can serve as both a theoretical and practical guideline, which should be applied to achieve worthwhile changes. Even so, in practice Zero Trust should mean more, than just a marketing hype, especially given that Joe Biden has ordered that “the Federal Government must adopt security best practices advance toward Zero Trust Architecture”. John Kindervag coined the concept while he was at Forrester in 2009, and Google implemented a Zero Trust Architecture framework, referred to as BeyondCorp, in the same year. Even the management of risks associated with de-perimeterisation were discussed almost two decades ago. De-perimeterisation, the main concept behind Zero Trust Architecture, was defined and promoted on the Jericho Forums, which was founded 20 years ago. The term zero trust has been around for more than 55 years.
0 kommentar(er)
