The Zero Trust security framework was first developed by John Kindervag in 2009 while he was at Forrester Research. Zero Trust challenged the traditional security model of a firewall forming a perimeter between a trusted internal network and an untrusted external one. This security approach breaks down if a threat actor is able to penetrate that perimeter, or a malicious insider is looking to steal sensitive data. Instead, Kindervag argued, all network traffic should be considered untrusted. Moreover, in the modern IT landscape of cloud services and mobile workforces, organizations could no longer rely on perimeter-based solutions to protect data. As such, the line of defense had shifted from the traditional perimeter to the user.
The original Zero Trust model is underpinned by three core concepts. First, an organization needs to provide secure access, regardless of location. This concept has become increasingly relevant as 81% of data breaches now involve weak or stolen passwords. Beyond the need to authenticate the user is also the necessity of ensuring the right authorization is in place. As such, the second tenet of Zero Trust stipulates that companies must control access on a need-to-know basis. In practice, this means that users should have access to the minimum amount of resources needed to do their job, and be immediately cut off from access when that role changes or they leave the organization. Lastly, Zero Trust emphasizes the importance of inspecting and logging traffic to verify users are doing the right thing.
The Evolution of Zero Trust
The Zero Trust paradigm has proven its relevancy over the last decade. However, with the proliferation of mobile device usage, software-as-a-service (SaaS) offerings, and cloud storage solutions growing in popularity—not to mention cyberattacks like phishing credential stuffing increasing in sophistication—the three core concepts of Zero Trust needed to evolve.
With this in mind, Dr. Chase Cunningham of Forrester introduced the Zero Trust eXtended (ZTX) Ecosystem in early 2018. ZTX goes beyond network segmentation and introduces seven categories that provide a holistic approach to security in a Zero Trust world. At the core of the ZTX model is the primary category of data. ZTX recommends developing data classification schemes, and deploying technologies to encrypt data in-transit and at-rest. The next four categories deal with the agents operating in an IT environment. People form a critical component here—since users have effectively become the modern security perimeter— but ZTX also emphasizes the importance of looking at networks, devices, and workloads. Since users have become so central to security, it’s important to examine the networks and devices they use, as well as the information they are accessing.
With this in mind, the last two categories of ZTX are visibility and analytics, and automation and orchestration. Here ZTX recommends the implementation of technologies and processes to monitor and manage the underlying data, networks, people, workloads, and devices. The aim is to provide greater insight into network activity and to make it as quick and easy as possible to take action.
Next-Generation Access (NGA)
According to Dr. Cunningham, identity solutions are a critical control point where Zero Trust is concerned. Zero Trust in the modern IT environment requires command and control of user access.
What Dr. Cunningham describes as Next-Generation Access (NGA) gives organizations the ability to centralize identity and access control via single sign-on, and to ensure strong authentication across all services, everywhere. NGA also enables visibility and response to credential compromise and account takeover attacks by integrating this data with analytics systems to detect anomalies.
Okta’s Role in Next-Gen Access and Zero Trust
The Okta Identity Cloud is an industry-leading, integrated platform that can help organizations successfully implement Next-Gen Access. Okta’s Single Sign-On(SSO) and Adaptive Multi-Factor Authentication (MFA) solutions help organizations verify users and devices before granting them access to secure resources, while the Okta Integration Network offers a way to integrate a Zero Trust approach across the ZTX. Okta’s Lifecycle Managementcan further assist with the implementation of Zero Trust by automating the provisioning and deprovisioning of users and devices, and Okta’s centralized security reporting can help organizations gain visibility into security-related events with sophisticated real-time system log search, geolocation tracking, pre-built application access reports, and integration with SIEM solutions.
Okta’s identity-driven security approach also aligns with Google’s BeyondCorp security model. Published in 2014, BeyondCorp is a practical application of the Zero Trust framework that promotes three fundamental principles:
- Connecting from a particular network must not determine which services a user can access
- Access to services is granted based on what we know about the user and their device
- Access to services must be authenticated, authorized, and encrypted
In the middle of 2018, Okta acquired ScaleFT—a pioneer in Zero Trust that’s been working on BeyondCorp-inspired access management solutions that would enable secure remote access without a VPN. ScaleFT will help Okta bring next-generation continuous authentication capabilities to secure server access, from cloud to ground.
With people acting as the new security perimeter, access has become a central security consideration. In fact, identity should be the core component of your Zero Trust strategy. Modern solutions not only help verify users and devices, but can also help with provisioning and monitoring. Most importantly, they allow for the adoption of a Zero Trust model without sacrificing the user experience.
Want to learn more about how we embrace the Zero Trust model? Then download our whitepaper, Zero Trust with Okta: A Modern Approach to Secure Access