Zero trust

Anyone else?

The National Institute of Standards and Technology (NIST) defines zero trust as “continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses.” Some defenses enforcing a zero-trust policy, according to Cloudflare, include network microsegmentation (where each segment requires authorization); device-specific access control (monitoring of all devices on a network); and multi-factor authentication. In 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released a zero trust maturity model containing best practices related to identity, devices, networks, applications and workloads, and data.

Secure the perimeter

The zero trust approach aims to provide more protection than the early security mechanism of a moat-like firewall. Zero trust has taken on greater interest as traditional network perimeters have changed and on-premise resources have frequently moved to cloud-based services.

A group of enterprise security pros promoted the idea of “deperimeterization” in the early 2000s. At a Black Hat conference in 2004, Paul Simmonds, one of the founders of the Jericho Forum, told the crowd that businesses had increasingly been opening their networks to partners, consultants, and clients. “What we’re trying to protect is the data on the machines. It’s the data that has value.”

Zero trust believers today see a similar, borderless security picture and sees continuous verification of identities and devices.

0 trust 4eva

“It’s a journey for different organizations who will start with different types of maturity, start at different levels, but the journey will never end,” Ismael Valenzuela, VP of threat research and intelligence at BlackBerry and a SANS Institute instructor, told IT Brew in May 2023.