Twenty years ago, a system administrator was busy keeping out hackers on a daily basis. With relative success. Antivirus on all machines, firewall on the router – that usually did the trick. But these days we seem to be fighting a losing battle. The solution? Trust no one!
For years we have been concerned with keeping the network free from intruders, while protecting the users as much as possible. You could think of this as standing at an open window with a fly swatter, ready to kill any mosquitoes and other insects as soon as they try to get in.
But the world looks very different now. The window is no longer the boundary between your network and the rest of the world. In fact, there’s actually no window at all. These days, many people are working from home, cloud applications and storage are everywhere, and we’re working more and more closely with other companies. You’re fly swatter isn’t going to be of much use in this new world. The solution is to simply not give anyone access: zero trust. You are not allowed in unless you have a key, or the right code, or preferably both, plus multi-factor authentication.
Thanks to the internet, almost everything is documented these days. In this way we also know who first used the term ‘zero trust’. That was the mathematician Stephen Marsh in his 1994 master’s thesis on computer security for the University of Stirling in Scotland. It took until 2009 before the first company implemented a zero trust solution. Not surprisingly, this was Google and they called the technology ‘BeyondCorp’.
You could say that since then we have all lost our innocence. Or, our naivety. The router with its open ports has long since become obsolete. More and more system administrators are realising that it is not a question of whether they will get in, but when.
Fortunately, zero trust is not just a concept that says you should not trust anyone. Thanks to the gurus of the American security institute NIST – which is generally accepted worldwide as highly knowledgeable – there is a zero trust model that can be applied in almost any situation. If you implement a zero trust solution from a supplier on your network, it must comply with all points of the model.
The basic principles of this model assume that any computer or user knocking at the gate could be an intruder. The trick is to let in only those who mean well. Zero trust means that there must be a single database in which all security information is stored: user identities, machine identities, policies, etc., etc.
The first step to get in is for the user to identify themselves. The next step is that the device must also identify itself. As a user, you can no longer just use any device to connect to the company network. The machine must also provide a health certificate, in a manner of speaking, which indicates that it complies with things that are determined in specific policies.
Are you in yet? Yes, but you still can’t do anything. This sequence is then continued with authorisation to access certain resources and applications. And it can go even further: even within certain applications, you can specify which user and which device gets access to specific functionalities.
So, have we all become completely paranoid? Yes, but that’s a good thing!
Want to know how to make resources and applications available flexibly and with zero trust? Book a demo now and we’ll be happy to show you!