Few people would seriously dispute the advantages of a zero-trust security model, particularly in a fast-changing cloud environment with business being conducted by a dispersed workforce using a wide variety of devices. The question is how best to approach zero trust. While there is still no specific definition or standard for a zero-trust model, two primary approaches have emerged: one taking a network-centric approach, the other a data-centric approach. The latter is the better choice.
Zero trust has gained a lot of ground since the term was coined by a Forrester Research analyst in 2010 (though its foundations go further back to ideas that percolated out of the Open Group's Jericho Forum). Google helped popularize the approach with its BeyondCorp framework, but it's still mostly a goal for CISOs rather than a widespread practice. No organization has completely implemented a zero-trust model, though organizations clearly recognize the need for it.
With the prevalence of cloud computing and an ever-increasing number of remote workers as well as mobile and Internet of Things devices, enterprises have long since outgrown their network perimeter. Employees work anytime, from anywhere. Organizations share information, sometimes in situations where they must cooperate with their competition. And even if an organization stores its data with a third party in the cloud, that organization is still responsible for securing that data. Add to that a dynamic threat landscape that is constantly growing in speed, scale, and complexity, and the traditional notion of focusing security on the perimeter doesn't hold.
Perimeter security is still important, of course, but organizations need to extend security out to where business is being conducted. Zero trust replaces the perimeter-centric mindset with one of continuously authenticating and verifying users, devices, and applications, since that's where data—the lifeblood of any organization—is being exchanged. Zero trust is more evolutionary than revolutionary, reflecting how computing has changed and how security needs to evolve toward the data layer.
Despite agreement on the need for zero trust, however, the industry is at a fork in the road on how best to implement it—whether by focusing on the network or the data. As an example, take a look at the National Institute of Standards and Technology (NIST) Zero Trust Architecture framework and the Open Group. Both approaches focus on the two most fundamentally important questions: how to provide security that enables organizations to conduct operations, and how to manage risk. But for a number of reasons, I believe focusing on the data level is the better long-term option.
The reasons for zero trust inevitably lead us into a data-centric approach. From an atomic level—the data level—a data-centric approach affords organizations the flexibility to, for example, establish and enforce policies on top of their security. If someone who has access to certain data but moves to another job where they should not, it can be difficult to go in and manually undo some of the controls that exist around user authentication. But if your policy is to authenticate every time a person tries to access that data, it goes to a policy engine that confirms who they are, where they are, what device they're using, or whatever rules the policy establishes. If something isn't right, that person doesn't get in. A data-centric approach abstracts the complexity out and puts it into a policy enforcement engine, which gives organizations the assurance they need in real time.
Even organizations that rely on legacy infrastructure, such as industrial control systems, have to face the IT/OT integration head on. Network vendors offer zero trust based on "shrinking the network perimeter" through micro segmentation, or dividing the network into small logical segments with security and access controls defined for each. This may be an adequate interim solution but does not address the IT perspective strongly enough. It doesn't go directly to the data. It's still focused on the network.
In today's computing environments, security is more than just the network—it's the applications, the devices, the users, and other levels that need to be secured and monitored for anomalous conditions. A data-centric approach is better able to support the security of a remote workforce, counter potential insider threats, and enable the kind of operations that organizations are aiming for. The network perimeter, while useful, doesn't support the kind of agility that businesses need today.
Zero trust shouldn't be perceived as a purely technical solution, nor will it eliminate all threats. But it is the best model for securing today's fast-evolving computing environments while simultaneously managing security risk. Getting there requires a cultural change in how organizations think of security, which would be best served by embracing a data-centric approach. At the moment, the industry is faced with reconciling the two dominant approaches. Proponents of a data-centric approach don't want to do away with network-centric security—it's still important. Standards groups are working together in hopes of coming to a consensus on the best option, in terms of costs (such as training and retooling) and providing business value. Because data is an organization's most valuable asset, a data-centric approach would provide the best value for organizations, now and in the future.
Altaz Valani, Director of Insights Research at Security Compass, manages the overall research vision and team. He is a regular conference speaker who conducts ongoing research in the software security domain.