Sorry, you need to enable JavaScript to visit this website.
No More Chewy Centers: The Zero Trust Model of Information Security January 13, 2020

by Diana Proud-Madruga

This blog is based on the 2010 Forrester report of the same name.

The old, perimeter-based approach to network security “hard on the outside and chewy in the center” isn’t working. It fails on several fronts:

  • It’s impossible to identify trusted interfaces.
  • “Trust but verify” involves too much trust and not enough verify.
  • Malicious insiders are often in positions of trust.
  • Trust does not apply to network traffic.

Zero Trust, introduced by Forrester Research, Inc. in 2010, has a simple view of trust: it doesn’t exist. All network traffic is untrusted. Therefore, security and risk professionals must

  • Verify and secure all resources. If we assume that all network traffic is threat traffic, then we need to protect all data equally, whether accessed internally or externally, and regardless of the data’s location.
  • Limit and strictly enforce access control. Use the latest access control technologies and methodologies that provide minimal privileges and strict access control and implement periodic reviews of employee access rights.
  • Inspect and log all network traffic. Network traffic needs to be continuously inspected and analyzed to detect anomalous or suspicious user behavior and activities as well as enable real-time protection capabilities. One recommendation is to deploy Network Analysis and Visibility tools as part of the security analytics platform.

Zero Trust easily integrates into the changing landscape of digital business where users are widely distributed and access to networks can come from both human users and devices. Remote employees and users, the Internet of Things and cloud services have blurred the perimeter. Zero Trust, as a data- and identity-centric model, embraces deperimeterization, scalability and flexibility, allowing for phased implementations, even on legacy systems, as well as the ability to meet future needs.

Zero Trust is a new way of thinking about information security. Adopting the concepts of Zero Trust can make an organization more secure, ease compliance burdens and reduce costs while helping the business build trusted relationships with customers and pursue new business and technology opportunities in a more secure manner. The first two steps in accomplishing this are: (1) changing how you and the entire organization think about trust, and (2) integrating Zero Trust into future planning.

Diana Proud-Madruga, CISSP, is a Senior Security Analyst with Electrosoft.

Return to Electroblog