Jump to content

Zero trust security model

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by LaFemmeTech (talk | contribs) at 18:32, 3 March 2021 (Background: Corrected origin of the term "Zero Trust" and provided authoritative background and sources as proof. Stephen Paul Marsh, PhD, Associate Professor of Trust Systems at University of Ontario Institute of Technology first wrote of Zero Trust in networks, applications, and computers in 1994 and his work has been cited more than 2,100 times to date.). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Zero trust networks (also, zero trust network architecture, zero trust security model, ZTA, ZTNA), in the field of Information Technology (IT) describes an approach to the design and implementation of IT networks. The main concept behind zero trust is that networked devices, such as laptops, should not be trusted by default, even if they are connected to a managed corporate network such as the corporate LAN and even if they were previously verified. In most modern enterprise environments, corporate networks consist of many interconnected segments, cloud-based services and infrastructure, connections to remote and mobile environments, and increasingly connections to non-conventional IT, such as IoT devices. The once traditional approach of trusting devices within a notional corporate perimeter, or devices connected to it via a VPN, makes less sense in such highly diverse and distributed environments. Instead, the zero trust networking approach advocates mutual authentication, including checking the identity and integrity of devices irrespective of location, and providing access to applications and services based on the confidence of device identity and device health in combination with user authentication.[1]

Background

Many of the concepts supporting zero trust are not new. John Kindervag, an industry analyst at Forrester (re)popularized the term "zero trust" but it was coined in April 1994 by Stephen Paul Marsh for his doctoral thesis on computational security at the University of Stirling. Marsh’s work was a thorough study of trust as something finite that can be described in a mathematical construct rather than simply a confrontational or purely human phenomenon. Further, Marsh asserted that the concept of trust transcends human factors such as morality, ethics, lawfulness, justice, and judgement. Marsh surmised that zero trust surpassed distrust when it came to securing computing systems, applications, and networks.[2]

The challenges of defining the perimeter to an organisation's IT systems was highlighted by the Jericho Forum in 2003, discussing the trend of what was then coined de-perimiterisation. In 2009, Google implemented a zero trust architecture referred to as BeyondCorp, part influenced by an open-source access control project.[3] Kindervag's reporting and analysis helped crystallize zero trust concepts across IT communities. However, it would take almost a decade for zero trust architectures to become prevalent, driven in part by increased adoption of mobile and cloud services.

By middle of 2014, Gianclaudio Moresi, a Swiss security engineer, designed the first system using the principle of a series circuit of firewalls in order to protect any client from new dangerous viruses (Zero Day Protection with Zero Trust Network). The new architecture based on Untrust-Untrust Network was published at the Swiss Federal Institute of Intellectual Property on 20 February 2015.[4]

By 2019, the UK National Technical Authority, the National Cyber Security Centre were recommending that network architects consider a zero trust approach for new IT deployments, particularly where significant use of cloud services is planned.[5] By 2020 the majority of leading IT platform vendors, as well as cyber security providers, have well-documented examples of zero trust architectures or solutions. This increased popularization has in-turn created a range of definitions of zero trust, requiring a level of standardization by recognized authorities such as NCSC and NIST.

Principles definitions

From late 2018, work undertaken in the U.S. by the National Institute of Standards and Technology (NIST) and National Cyber Security Center of Excellence (NCCoE) cyber security researchers led to A NIST Special Publication (SP) 800-207, Zero Trust Architecture.[6][7] The publication defines zero trust (ZT) as a collection of concepts and ideas designed to reduce the uncertainty in enforcing accurate, per-request access decisions in information systems and services in the face of a network viewed as compromised. A zero trust architecture (ZTA) is an enterprise’s cyber security plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.

An alternative but consistent approach is taken by NCSC,[5] in identifying the key principles behind zero trust architectures:

  1. Single strong source of user identity
  2. User authentication
  3. Machine authentication
  4. Additional context, such as policy compliance and device health
  5. Authorization policies to access an application
  6. Access control policies within an application

References

  1. ^ "Mutual TLS: Securing Microservices in Service Mesh". The New Stack. 2021-02-01. Retrieved 2021-02-20.
  2. ^ Stephen Marsh, Google Scholar, 2021-03-03, retrieved 2021-03-03
  3. ^ cogolabs/beyond, Cogo Labs, 2020-08-21, retrieved 2020-08-25
  4. ^ G.C.Moresi, Architecture for a secure connection between a client and a server (Untrust-Untrust) Patent Nr. CH 710 768 A2, 20 February 2015
  5. ^ a b "Network architectures". www.ncsc.gov.uk. Retrieved 2020-08-25.
  6. ^ "Zero Trust Architecture | NCCoE". www.nccoe.nist.gov. Retrieved 2020-08-25.
  7. ^ Rose, Scott; Borchert, Oliver; Mitchell, Stu; Connelly, Sean. "Zero Trust Architecture" (PDF). nvlpubs.nist.gov. NIST. Retrieved 17 October 2020.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Zero_trust_security_model&oldid=1010084113"