In 2010, Forrester Research analyst John Kindervag proposed a solution he termed “Zero Trust.”
It was a shift from the strategy of “trust but verify” to “never trust, always verify.” In the Zero Trust model, no user or device is trusted to access a resource until their identity and authorization are verified. This process applies to those normally inside a private network, like an employee on a company computer working remotely from home or on their mobile device while at a conference across the world. It also applies to every person or device outside of that network. It makes no difference if you have accessed the network before or how many times — your identity is not trusted until verified again and again. The idea is that you should assume every machine, user, and server to be untrusted until proven otherwise.
Historically, a castle-and-moat approach to security seemed workable — the idea of a network perimeter where everyone outside the network — or moat — was “bad” and everyone inside was “good” once prevailed. But just as castles and moats are a thing of the past, so should be the castle-and-moat approach to security. Just think about the current state of remote work. Today’s workforce and workplace have changed — when, how, and where people do their work have moved beyond the four walls of an office. With the rise of the cloud, the network perimeter no longer exists in the way it used to. Users and applications are just as likely to be outside of the moat as they are inside. And that introduces weaknesses in the perimeter that malicious actors can exploit. Once inside the moat, they are free to move around, accessing resources and high-value assets, like customer data (or the crown jewels!) — or launching a ransomware attack.