Zero trust security is an invaluable approach that helps significantly boost how protected an organization is against threats. Nevertheless, many people may need to become more familiar with the term or what it entails. Let’s take a few moments to review the concept and clarify how beneficial it can be.
You can almost think of a zero trust security strategy as actively implementing the phrase, “Trust no one.”
The development of zero trust security is actually closely tied to the growth of remote work. Back when teams worked at the office, hard stop, it was relatively easy to secure a business network. You could establish a perimeter to keep threats out, reinforce it with a ton of protections, and be confident that everyone inside was confirmed to be a trusted team member.
However, once the Internet advanced to the point where it was relatively accessible outside of the business setting, the idea that work could be done anywhere was too appealing to waste the opportunity—despite this breaching the perimeter. Virtual private networks (VPNs) helped to an extent, but as greater and more powerful threats developed it was soon apparent that a perimetered network simply wasn’t a viable option.
The term “zero trust” actually dates back to 1994, when Steven Paul Marsh included the phrase in a doctoral thesis on computer security for the University of Stirling. This thesis, titled Formalising Trust as a Computational Concept, focused on creating a proposed mathematical model to assist distributed artificial intelligence in its calculations. Greatly simplified, this model seeks to quantify trust so that AI can consider it as another variable.
However, it wasn’t until 2010 that John Kindervag combined two years of effort and research at research and consulting firm Forrester to produce a report. In this report, No More Chewy Centers: Introducing the Zero Trust Model of Information Security, Kindervag presented the Zero Trust Model.
Kindervag’s report outlined the three core tenets of the model:
These same principles began to appear in new policies and publications, from Google’s BeyondCorp initiative that reinforced the importance of the above tenets (never using the phrase “zero trust,” however) to the standards that the National Institute of Standards and Technology—NIST—proposed in 2020’s publication Zero Trust Architecture.
It is NIST’s report that adds the following assumptions to the above tenets (we’ve added a bit of clarification to each):
When it all comes down to it, it’s less “Trust no one” and more “Protect and verify.”
Security precautions have undoubtedly improved over the years. Unfortunately, the same can be said of the threats that target businesses. At this point, zero trust is practically the only feasible option for a modern business—at least, one concerned with protecting itself, its data, and its customers and clients.
BSGtech is here to help. As a part of our managed services, we’ll help you ensure your business’ data and infrastructure are locked down, regardless of where your team works. Learn more about how we can keep you protected by calling (866) 546-1004.