Trust No One: The Rise of Zero Trust Networks

Wayne Dorris -
Illustration: © IoT For All

Not so long ago, a secure network meant a good antivirus program, and maybe a strong firewall to go along with it. Unfortunately, those days are now behind us. The network “perimeter” has become difficult to define, with modern innovations like cloud computing and remote network connections resulting in a more nebulous—and difficult to protect—network edge. Today, everything from smartphones to surveillance cameras and self-driving cars is connected to the internet, and as connected devices have proliferated, cybercriminals have grown more sophisticated.

These new developments have given rise to new cybersecurity strategies, and the concept of “zero trust” has emerged as a common theme. In a zero trust network, no entity connecting to or operating within the network is assumed to be trusted and must verify its identity repeatedly and in a number of different ways. Today, any endpoint represents a potential gateway into the network—and at a time when IoT devices are everywhere, strong, zero trust authentication is more important than ever.

How Does Zero Trust Work?

President Reagan famously employed a philosophy of “trust, but verify.” In the cybersecurity world, zero trust goes one step further: never trust, always verify. It’s an important distinction: in a zero trust environment, it doesn’t matter how you connect to the network, and it doesn’t matter whether you appear to be a human or a machine—you still need to verify your identity. This means that you can’t simply enter a password and do whatever you please. You’ll need to continually justify your presence as you move throughout the network.

This approach is made possible by micro-segmentation, a security strategy in which different levels of security are applied to different areas of the network as appropriate. Using micro-segmentation, network security can be made extremely granular, and any entity accessing the network must provide continuous authentication. That entity will be granted the minimum amount of access required to complete its task, and if it wishes to go beyond those restrictions, it will once again have to prove that it has the right to do so. This means that even those already operating within the network cannot simply access anything they please, and anomalous behavior such as attempting to access data outside the usual scope of work can raise a red flag for security teams.

This is what allows zero trust to shine. Even a valid set of login credentials can raise red flags if those credentials are then used, for example, to download research and development files in the middle of the night or to exfiltrate valuable data from the network. Once the behavior has been flagged as anomalous, security personnel can be notified, or additional authentications can be asked for, demanding that the potential intruder once more justify their presence in the network. Because the default position in a zero trust network is that no one can be trusted, alarm bells can be raised at the very first sign of trouble.

Devices Have Identities, Too

Zero trust is built on enforcing rules, and that means organizations getting started with the technology will need a policy engine to establish those rules. Essentially, a policy engine grants permissions to network users through a combination of network analytics and pre-programmed rules, comparing any network request to the established policies. It is up to organizations to determine the appropriate rules for firewalls, email and cloud security gateways, and other tools. This is the backbone upon which micro-segmentation is built, and it is what makes zero trust architecture possible.

With rules in place, tools like identity and access management software can make it easier than ever to implement a zero trust architecture. As the proliferation of network endpoints makes networks increasingly vulnerable to attack, it becomes more important than ever to ensure that devices authenticating onto the network are who and what they claim to be. Cybercriminals aren’t just after credentials anymore—they’re looking to compromise devices. Zero trust works to ensure that one compromised device cannot bring down an entire network. After all, IoT devices like network cameras are designed to keep people and property safe, and cybersecurity has become a major part of a comprehensive approach to safety.

Of course, a successful zero trust architecture relies on having the right tools in place, and this is where blockchain comes into play. Since blockchain is an open, distributed ledger that is both verifiable and permanent, it is the perfect technology to support zero trust architecture. A device can be provided with immutable credentials by building the identifiable parts of that device into the blockchain, and no data transaction can be changed without consensus from all preceding transaction nodes.

Blockchain, despite its reputation, is about much more than cryptocurrency. There are both public and private blockchain implementations that organizations can use to support zero trust networking, making the technology an increasingly important part of the cybersecurity world.

Zero Trust Is the Future

The necessity of zero trust is unfortunate. Wouldn’t it be wonderful to be able to trust the good intentions of any person or device logging onto a network? Sadly, that isn’t the world we live in. Cybercriminals are always looking to exploit vulnerabilities, and as new and innovative devices blanket the network edge, many sense an opportunity to strike before network defenses can catch up. The rise of zero trust provides defenders with the opportunity to adopt a safe and scalable approach to network security—and as network architecture increasingly shifts toward a zero trust model, we may all soon be saying “never trust, always verify.”

Wayne Dorris - Business Development Manager of Cybersecurity, Axis Communications, Inc

Guest Writer
Guest Writer
Guest writers are IoT experts and enthusiasts interested in sharing their insights with the IoT industry through IoT For All.
Guest writers are IoT experts and enthusiasts interested in sharing their insights with the IoT industry through IoT For All.