Zero trust

(futuristic upbeat music) - For a long time, the security model used by corporate networks has been based on the idea of a security perimeter that is protected resources are connected to a network that's kept secure from the outside and any device within that protected network is able to use resources available on the network. And that model worked pretty well for a long time but times have changed. We don't all work in an office on a PC wired to the wall using internal systems anymore. Now we have to consider things like cloud services, mobile devices, remote workers threats from bad actors, ransomware, data breaches, and so many other things that the old model of a single secure perimeter just isn't well equipped to handle. In fact, many companies don't even have a single physical location where work takes place and all their resources are accessed remotely by geographically diverse employees. So how do we keep up with these changes and access requirements while maintaining security? We get rid of that secure perimeter and move security evaluation to individual services, devices and users. This is called the zero trust security model. And while the ideas behind it have been around for decades, it's starting to gain traction in our evermore connected world. Zero trust turns our legacy model of network security almost inside out. Instead of maintaining a secure perimeter within which everything is automatically trusted, with the zero trust, there is no single perimeter and each device and interaction between systems comes with its own authentication and authorization steps rather than being trusted simply because it's within a secure network. In this model, individual to devices, users, services and interactions are specifically authorized using a variety of different systems. Devices like computers, tablets and phones are enrolled into an access management system and are provided certificates or other credentials they use to prove their identity whether they're attached to the corporate network through ethernet or they're on a wireless connection at a cafe, the access management system determines whether devices are what they say they are and whether they're allowed access to protected resources. These access management systems can also evaluate device health. That is whether a device is running a specific version of software, whether it has unapproved software installed and so on to protect a system from unauthorized or compromised devices. If a device check fails or if a user tries to access protected resources from an unapproved device, their request can be denied. User control is handled by identity providers, services which designate which users are allowed to use which services and which devices for which tasks. Users might use a username and password and they may also have a certificate or other token that provides a second security factor. In many cases, a user's identity is treated as a single entity, that is we don't have one username and password for one service and a different set of credentials for another. Our identity token is used for services we access, ensuring that access is granted to a person not simply to a username. Resources that users need to access also vouch for themselves using similar services. When we access a resource like a database or a payroll system, our device and the security system check that the remote resource is what it says it is to avoid impersonation of secure resources. This is called mutual authentication and it's a core principle of the zero trust model. Another core principle of zero trust is that there's no implicit trust of a device, of a user or of a resource. It doesn't matter if the CEO's computer is plugged into the corporate network in her office at the company headquarters. It's still subject to all these control checks at various levels for each task it needs to perform. Imagine that you need to access some information from a database. In a zero trust system, when you make that request, the system will check whether the device you're using is approved and it will check whether you're allowed access to it. The system will check whether you're permitted to access the specific data you're requesting. You might be provided a session key that is an authorization specific to the single interaction you're performing which can't be used for any other request. Each of these checks helps to control the security of information and helps to prevent bad actors or malware from spreading throughout a network. And in most cases, each of these verifications and requests will be logged in an auditable system. Intelligent systems can be used at many points of this process as well to determine suspicious patterns of access or to learn what likely patterns of access look like. This can help administrators identify malicious activity more easily than with manual methods. All these interactions take place through encrypted communication channels, making it more difficult for bad actors to read the data exchange between devices. This approach of using many layers of security is often called defense in depth. Zero trust is becoming a key concept in designing information access systems and cloud and enterprise service providers like Microsoft, Google, Amazon, Oracle and many others offer case studies, white papers, reports and other resources to demonstrate its benefits and how it can be used in a variety of scenarios. Building a zero trust system takes planning and coordination and how you might apply it will depend on your needs and security requirements. The amount of access controls and levels of security that enables zero trust can sound a little bit paranoid but this model enables us to securely resources in the cloud or in our data center from mobile devices or from onsite systems while allowing specific controls and auditable logs. We'll hear a lot more about zero trust in coming years as the model is more widely adopted. And while we can't fully prevent security problems, the zero trust security model provides a robust way of mitigating security risks while enabling the modern mobile workforce.