The growing popularity of cloud and edge computing, combined with an increase in remote workforces, is driving security architects to seek a new identity-based approach to cybersecurity.
The traditional approach of defined security perimeters distinguishing “trusted” communications from “untrusted” communications is no longer viable. Employees work outside the traditional castle and moat of the office and firewall, and cloud services equate to large amounts of business traffic never crossing the corporate local area network.
To remedy the situation, organizations can use a zero-trust model for authentication and authorization to better protect critical business data. Zero trust philosophies and tools have gained momentum as they are more able to operate in borderless enterprise environments.
Let’s take a look at perimeter-based security versus zero trust and explore why organizations might want to migrate to a zero trust philosophy in the near future.
What is perimeter-based security?
Classic network designs were built around the concept of a corporate LAN consisting of switches, routers, and Wi-Fi connectivity. The LAN contained one or more data centers, which housed applications and Datas. This LAN formed the perimeter of the security network.
Access to applications and services over the Internet, VPNs, and remote sites over WAN connections is considered external to the organization with perimeter-based security. Anything connected to the LAN is considered “trusted” and devices from outside the perimeter are “untrusted”. This means that external users must prove who they are through various security and identification tools.
What is Zero Trust?
Zero Trust is a corporate trust philosophy and approach where everything users, devices, and intercoms are explicitly untrusted until verified, then continuously reverified over time. The security model uses the principle of least privilege to limit what a user or device can communicate with. Zero trust greatly reduces the risk of lateral movement within an organization if a user account or device is compromised.
Microsegmentation plays a role in zero-trust security because the network itself is logically segmented into different secure zones, down to the workload level. This is widely useful in data centers, where distributed services are isolated on secure network segments, but outside communications are strictly enforced using security policies.
Why move from perimeter-based security to zero security?
The biggest problem with perimeter-based security is that it is static in nature. Over the years, applications, devices, and users have migrated outside the traditional LAN boundary and as a result are architecturally unreliable.
Perimeter security also suffers from the fundamental flaw that anyone accessing resources from inside the secure perimeter can be trusted. This is a bad assumption, because there are as many insider threats as there are external threats, as evidenced by the different types of malicious and negligent insider threats.
It makes more sense for an identity-based security strategy to trust no one until they are continuously authenticated and reauthenticated. The zero-trust methodology puts all users, devices, apps, and communications on the same security playing field. It also helps streamline policy creation, improve visibility, and centralize access control.