Comparing Cyber Security Strategies
Zero Trust is most easily understood in comparison to the status quo. Many organizations have a perimeter-based security model, which lacks the protection provided by a Zero Trust approach.
Perimeter-Based: The Castle and Moat
Traditionally, most organizations have adopted a perimeter-based security model. The most common analogy for this model is a castle and a moat. Under a perimeter-based security model, the organization deploys an array of defenses at the network perimeter (the castle wall). The goal of this strategy is to block incoming attacks before they breach the perimeter and impact the organization’s internal systems.
This model is great if it works; if you think about real-world castles though, they can be breached in a number of different ways. Someone within the walls might lower the drawbridge or open a gate for the attackers (like a malicious insider). The attackers may be able to trick their way inside using something that doesn’t appear malicious like the Trojan horse (think phishing emails). The castle walls may have a weak spot that the attackers can use to gain access (like an employee with a weak password).
The perimeter-based security model also suffers from the fact that the traditional network perimeter is rapidly dissolving. With the growth of cloud computing, the Internet of Things, and remote work, the city is rapidly expanding to spill outside the castle walls. Defending the traditional network perimeter leaves a growing percentage of an organization’s data and other assets unprotected and vulnerable to attack.
In the end, the perimeter-based cybersecurity model is a flawed one. It can be overcome in a number of different ways, and once an attacker is inside, the organization is helpless to defend itself.
Zero Trust: Trust but Verify
Zero Trust is designed to overcome the limitations of the perimeter-based security model. It does so by eliminating a key assumption: that everyone inside the network is supposed to be there and is a “good guy.”
If a perimeter-based security model is like a castle, Zero Trust security is designed to be more like a top-secret research facility. Even if you’ve made it in the front door, every wing, room, cabinet, etc. has its own lock. To access anything within the facility, you need to prove that you are who you claim to be and that you have “need to know.”
Zero Trust also makes it possible to implement escalating levels of user authentication and privilege. Getting in the front door of our hypothetical research facility may only require showing a driver’s license, but accessing any room inside may require keycard access. Inside the rooms, there may be safes that require fingerprints, retina scans, voiceprints, etc. Unlike a perimeter-based model, Zero Trust enables data and other resources to have the exact level of protection and access control that they require, providing a balance of usability and security.
Why Do I Want Zero Trust Security?
The rising number of data breaches and other cybersecurity incidents make cybersecurity a top of mind concern. Implementing Zero Trust security can provide a significant return on investment in terms of reduced cybersecurity risk; the average cost of a data breach or ransomware attack is steadily growing. Thwarting even a single attack that would otherwise result in a successful breach goes a long way toward paying off the investment in implementing Zero Trust security.
Beyond the potential ROI, an organization may be subject to external pressures to implement Zero Trust security. Data protection regulations require increasingly stringent security controls to be in place to protect sensitive data. Implementing Zero Trust in advance reduces the likelihood of loss of compliant status or regulatory penalties if an organization’s security strategy does not keep pace with evolving requirements.