At this year’s RSA Conference held recently in San Francisco, Zero Trust security was seemingly everywhere on the exhibition floor. This is the approach whereby a company’s infrastructure is completely locked down, with access granted to individual assets on a one-by-one basis, and even then, only with continuous monitoring.
Zero Trust arose a decade ago, when in response to an ever morphing, ever more muscular threat landscape, granting “access all areas” rights was increasingly not an option in enterprise security. It has now gone mainstream, with three main flavors, applicable to different use cases.
First, for privileged users such as sysadmins and C-level execs, there is privileged access management (PAM) technology, which has gone from providing secure vaults in which to store passwords to a “least privilege” approach, where users must log in separately for each application they work on.
Second, for remote access, a replacement touted for virtual private networks (VPNs) is software-defined perimeter (SDP) technology, which blanks out all assets that users are not authorized to access and lets them get to ones they are allowed to see, but again on a one-by-one basis only. Google takes this a step further with its BeyondCorp initiative, extending the approach to all employees.
Third, for protecting cloud workloads, there is the approach of microsegmentation, a granular partitioning approach whereby traffic to and from a workload is isolated according to security policies. Companies can therefore gain control over the east-west traffic that evades traditional architectures based on firewalls, which are designed only to inspect north-south traffic and can miss traffic between applications and workloads that might be generated by security exploits.
Rik Turner, Principal Analyst, Infrastructure Solutions