Zero Trust vs. Perimeter-Based SecurityJuly 2, 2021 No Comments
Featured article by Susan Melony, Independent Technology Author
Nothing stays the same in cybersecurity, and that’s certainly true when it comes to the general approach and model many organizations are moving toward.
There’s a term that’s not necessarily new, but largely because of the COVID-19 pandemic has become increasingly relevant—Zero Trust cybersecurity. With remote and dispersed employees, Zero Trust models are rapidly becoming the go-to.
So how does a Zero Trust model compare to a traditional perimeter-based security model? We delve into what to know and comparisons of the two below.
What is a Zero Trust Model?
First, what exactly is a Zero Trust cybersecurity model?
The idea is that no user or device should be inherently trusted, whether it’s inside or outside the system.
There’s no trusted internal network versus an untrusted external network.
Rather, access is based on the user and not the location, network, or device.
What About Perimeter-Based Security Models?
Before the widespread implementation of ZeroTrust, there was the perimeter-based approach to network security.
The core idea here is that anyone inside the corporate network was trusted, and anyone outside wasn’t trusted. This has been the preeminent cybersecurity model for more than 20 years.
However, the past decade has highlighted many of the flaws with this.
Along with perimeter-based security often comes layered security. Layered security meant that IT teams would put perimeters of security around individual assets. The idea was that an attacker would need to go through multiple security layers to get access to critical assets.
Authorized users, on the other hand, could go past these layers of security because they’d already be in the perimeter. Then they would log into a machine that would give them IT resource access.
The perimeter and layered approach made more sense when the network was almost entirely on-premises and often Windows-based. The first ring of security would usually be focused on identity. That meant a user would need access to a domain. Then, the layer after that might have been anti-malware protection. From there, a third layer would focus on data and applications often.
The outer layer would be the network perimeter itself, with VPNs, firewalls, intrusion detection, and other security features.
Why A Zero-Trust Model Is So Important Now
There are a couple of reasons, in particular, why the Zero-Trust model is fast becoming the dominating approach to cybersecurity.
First, networks aren’t on-premises. Second, networks aren’t Windows-based anymore either.
The mobile and remote workforce means that Zero Trust is probably here to stay.
The assumption with Zero Trust is that a network has been compromised. Every user and device has to prove that they aren’t a cybersecurity attacker. There is strict identity verification, even if a user or device is already in the network.
Even once a user accesses the network, they have limited accessibility.
Steps in Implementing Zero-Trust
Moving from a traditional perimeter-based approach to Zero-Trust doesn’t happen overnight. It takes time and planning. The goal is to verify everything and never to inherently trust it. However, you don’t want to create blocks for the user that diminish productivity. It’s a lofty objective.
While it can look somewhat different for every organization dependent upon individual needs, the following are some of the steps often included in the process.
- What happens for many organizations is that as they work to begin implementing Zero Trust, they have a combination of non-integrated on-premises and cloud applications. There’s fragmentation that has to be dealt with by IT.
- This brings about the need for Identity and Access Management or IAM. This is often the first actual step that has to be completed. That means consolidation of fragmented identities under a single IAM system across the cloud and on-premises. For example, this might specifically include single-sign-on. Then, there might be a second authentication factor layered on that.
- There is often the inclusion of context-based policies. That means that there are signals gathered about the context of each user, such as device and location context.
- The next part of the process for Zero Trust is a focus on authorizing and authenticating access.
The National Institute of Standards & Technology (NIST) has outlined principles of a Zero-Trust architecture. These include:
- The data sources as well as all computing services, are considered resources under this model.
- Regardless of network location, all communication is secure. Location network doesn’t indicate trust.
- A per-connection basis is used to grant access to individual resources. The trust of the person requesting access is evaluated before access is given.
Policy determines resource access. It may be based on user identity as well as behavioral attributes.
- An enterprise, under this approach, makes sure that all owned, as well as associated systems, are as secure as possible. There is ongoing systems monitoring to ensure continual security.
- User authentication is considered dynamic and is strictly enforced. The cycle includes continual access, scanning for and assessing threats, adapting and continual authentication.
Overall, there are many organizational benefits that stem from using a Zero-Trust approach.
Specific benefits can include:
- It’s easier to detect and stop phishing emails that target employees.
- This approach can be effective at stopping lateral movement if there’s a breach, whereas with perimeter-based security, once a bad actor has access, they can move about in an unlimited way.
- It protects against something like a stolen developer password or the exfiltration of a database by a compromised application host.
Micro-segmentation can prevent data breaches in general and keep lateral movement contained.
- It’s possible to have more visibility into workloads, devices, users, and components across the environment.
- Zero-trust puts an emphasis on continuous monitoring for signs of compromise.
- There’s enhanced organizational security but also consistency in the user experience.
Regardless of the underlying infrastructure, it’s possible to implement security protection across multiple environments.
Overall, Zero-Trust is likely going to be the pre-eminent approach to cybersecurity for organizations of all sizes moving forward. There’s a high probability it will replace perimeter-based cybersecurity even in very small organizations because of the benefits.