is it time to move to a zero-trust model?

Matt Elton - May 12, 2021

Go back 20 years, and even the very large organizations installed firewalls at the perimeter, while everything was more or less open on the inside. I am sure we have all come across situations where data, the firm’s most valuable asset, sat alongside - in some cases almost literally - a multitude of desktop users and their related infrastructure.

Roll on to today and we have a situation where employees are working from anywhere, often using their own devices, while the data sits in unknown locations known as "the cloud". Does the perimeter security model still make any sense?

Has the global pandemic and the increased adoption of cloud technology created a situation where zero-trust has come of age?


It seems that practically everywhere we look today in the world of Cybersecurity, we come across the concept of zero-trust. Has the global pandemic, and the increased adoption of cloud technology created a situation where zero-trust has finally come of age?


The hard-shell-soft-inside model, which has been widely adopted in industry, is built upon the assumption that the firm and its employees can be trusted, while the outside world cannot. Go back 20 years, and even the very large organizations installed firewalls at the perimeter, while everything was more or less open on the inside. I am sure we have all come across situations where data, the firm’s most valuable asset, sat alongside - in some cases almost literally - a multitude of desktop users and their related infrastructure. Over time, firms have adopted some levels of network segmentation, segmenting the front end, mid-tier applications from their data. In many cases, this was only done for public internet-facing applications, while internal users had very little beyond simple user rights to restrict what they could do.


Over the last year, we have all experienced the major changes in business operating models which have come from the move to a remote working model as a result of the global COVID-19 pandemic. The perimeter of the organization became the back bedrooms, kitchen tables, and home offices of its staff confined to home. Of course, as the business world grappled with moving to a remote working model, cybercriminals wasted no time in trying to exploit the situation, attacking the weakest points of the new normal. In infrastructure terms, this has meant poorly-protected home networks with out of date and unsupported routers vulnerable to remote exploits, VPN and other remote access tool vulnerabilities, and most of all, the end users themselves. Lack of devices and cost saving measures meant that, like it or not, many firms found themselves being forced into adopting a BYOD (bring your own device) model at the same time.


Phishing attacks increased significantly during the pandemic, and account for more than 80% of reported security incidents, while 94% of malware is delivered by email. It is worth remembering the insider threats (deliberate, as well as accidental) now outnumber those of external actors, and over 80% of all attacks involve credentials use or misuse within the organization.


Does a hard-shell-soft-inside model work in these conditions?


If the changes instigated by the pandemic are not enough on their own, the last few years of IT evolution, in particular, the adoption of cloud technologies, has forced organizations to start looking at security differently. Hybrid cloud environments are now likely the norm for a vast majority of enterprises, large and small. Increased cloud adoption means that the applications, services, and those crown jewels, the data, no longer sit protected in the heart of the organization, but in data centres and server infrastructure owned and operated by big tech firms like Amazon, Microsoft, IBM, Google, and friends. Where is the perimeter of the organization now?


Somehow, we have reach the perfect conditions to finally make a break with the old model. So when we talk about zero-trust, what are we referring to? The term itself was coined by former Forrester analyst, John Kindervag, who recently joined zero-trust innovators, ON2IT, as Senior VP Cybersecurity Strategy. His motto is “never trust, always verify.” The approach is based on the assumption that risk is an inherent factor both inside and outside the network. Given that we are living in a world where there is increasingly little differentiation between inside and outside, or even that there is no longer an inside and outside, it seems to be a good assumption upon which to build a security model. In essence, in zero-trust there is no longer a network perimeter, and resources, and users can be in any location.


The model is defined in a number of industry guidelines such as Forrester’s eXtended, Gartner’s CARTA, and NIST 800-207. Zero-trust requires that all users, wherever they are, be authenticated, authorized, and continuously validated for security configuration and posture before being granted or retaining their access to applications and data.


Zero-trust combines familiar security technologies like multi-factor authentication (MFA), identity and access management (IAM), identity protection, and endpoint security to verify the user’s identity and maintain security. The emphasis is no longer on where the user is connecting from, but instead on strong identity control, device health enforcement, and least privilege access. In essence, in order to trust, you must first verify.


Having been around the world of cybersecurity for the best part of 25 years, I distinctly remember having a discussion with my then manager about a model where we could treat the inside and outside, including resources and users, as untrusted, in essence something similar to the zero-trust model in the late 90s. Perhaps back then, such a concept was just too revolutionary, but the combination of accelerated cloud adoption and acceptance of remote working and BYOD has meant that the reality is that we are now living in a world where there is no longer a clear definition of inside and outside, and there is no longer a neat network perimeter where firewalls and related devices protect us from the bad actors on the outside. In the next article we will take a look at how an organization can go about transitioning from the traditional hard-shell-soft-inside to a zero-trust approach.