01/05/2022 | News release | Distributed by Public on 01/05/2022 13:42
Over the last decade, we've experienced three megatrends in action: mobile, cloud, and software-as-a-service (SaaS). These megatrends have redefined how we work, conduct business, and consume information. According to Gartner, global end-user spending on public cloud services is expected to exceed $480 billion in 2022 with a year-over-year growth rate of 21.7%. We were already moving away from an 8-hour day, 5-day week in the office, as employees connected to corporate networks from their homes or while traveling with laptops and smartphones. But the pandemic put this movement into overdrive, accelerating the work-from-anywhere trend due to shelter-in-place mandates. Within the tech world, this turned all but the most essential workers into a fully remote workforce overnight.
Meanwhile, the steady increase in hybrid IT environments continues to impose new and complicated IT and security requirements. Where data centers used to operate mission-critical applications and store sensitive data, large-scale corporations are starting to buy into the cloud paradigm. In the interest of lower cost and higher scalability, the trend is to move resources from on-premises hardware to public cloud environments. And, due to faster return on investment and lower total cost of ownership, corporations are opting for SaaS apps over the traditional self-hosted enterprise apps or build-it-yourself solutions.
However, the adoption of mobile, cloud, and SaaS megatrends imposed great challenges to corporate security and user experience:
The historical definition of corporate security focused on providing connections, monitoring, and detection using network defense approaches. However, as corporate perimeters became outmoded, this location-based security was no longer effective. Instead, identity began to play a central role in a new, modernized security framework. This identity-centric security framework is called Zero Trust. The Zero Trust concept was designed with the following assumption: "never trust, always verify." This model replaces the implicit trust once inferred from static location information with explicit trust criteria based on dynamic, contextual data. The sources of contextual data include user identities, application and resource properties, endpoint status, network health, and corporate policies.
Zero trust network access (ZTNA) is a product that provides a secure, private network that is only conditionally accessible to verifiable requests. Zero trust brokers continuously verify identities, contexts, and policies of requests before granting or denying access. ZTNA removes apps from public visibility and significantly reduces surface areas for attacks. ZTNA quickly gained initial traction as a VPN replacement, since ZTNA brings benefits in ease-of-adoption and scalability. Moreover, identity and context-based micro-segmentation provided by ZTNA allows fine-grained security control. The micro-segmentation approach is more effective in preventing lateral movement than traditional network-based segmentation approaches.
As the legacy perimeter model continues to fail modern security needs and performance requirements, more and more corporations are interested in pursuing Zero Trust strategies. In 2019, Gartner combined network connectivity with network security, and coined the secure access service edge (SASE) model. Using this model, corporations can replace their inefficient and unsecured hub-and-spoke network infrastructure by using cloud-based identity-centric network access together with Secure Web Gateway (SWG) and Cloud Access Security Broker (CASB). Or corporations can reduce or replace existing Multi-Protocol Label Switching (MPLS) using identity and access management (IAM), SWG, and CASB on top of Software-defined Wide Area Network (SD-WAN).
The best way to visualize Zero Trust development and adoption is to explore the ideal Zero Trust architecture. To do so, we can abstract the implementations of a Zero Trust framework to a combination of a data plane and a control plane. The data plane provides access to resources, while the control plane makes continuous, real-time decisions about who or what can access the resources. We're going to draw an analogy between semiconductor devices and the ideal Zero Trust architecture.
A Metal Oxide Semiconductor Field Effect Transistor (MOSFET) is the basic building block of integrated circuits. A MOSFET has 3 terminals: source, drain, and gate. We control the flow of the MOSFET current by applying a gate voltage. When the gate voltage (i.e., the control plane) is larger than the absolute value of its threshold voltage, the channel between the source and the drain (i.e., the data plane) turns on, and the current flows between them. Conversely, when the gate voltage is smaller than the absolute value of its threshold voltage, the channel turns off and there's no current flow.
Two key principles of designing and scaling MOSFETs are to make transport between the source and the drain as frictionless as possible, and to make the gate control as strong as possible. So, how does this apply to Zero Trust? The ideal Zero Trust framework should have the most efficient data plane and the most effective control plane.
The Zero trust framework is about providing secure, private networks holistically as the data plane. Instead of addressing the people, apps, workloads, and data connections separately, it is more efficient and secure to address them all together in a unified way.
In this scenario, a secure mesh network connects the traffic from any and all resources, devices, and users using any type of network infrastructure. The secure private mesh network would serve as an overlay of the underlying physical network infrastructure, whether it is Broadband, Fiber-optic, 4G, 5G, or WiFi. The secure private mesh network abstracts corporate IT and security panorama away from physical topologies. Based on an organization's IT and security needs, the mesh network establishes logical relationships among people, applications, and resources using identities, contexts, and policies.
A Zero Trust framework is about providing Zero Trust orchestration as the control plane. The Zero Trust orchestration consists of observing, monitoring, inspecting, analyzing, and action-taking. The interactions between Zero Trust orchestration and secure mesh networks provide feedback loop control.
In essence, the three key characteristics of Zero Trust orchestration are integrated, bi-directional, and continuous:
Identity is the cornerstone of the Zero Trust framework. We need identities to describe, control, and manage almost everything: employees, customers, contractors, on-premises apps, SasS apps, APIs, servers, virtual machines, containers, serverless, internet of things (IoTs), bots, data sets, or even non-fungible tokens (NFTs). IAM, privileged access management (PAM), identity governance and administration (IGA), and identity proofing are ways to make connections among these identities. Zero trust security is one of the best examples of utilizing identity to achieve a better user experience and a stronger security posture.
From both internal R&D and M&A perspectives, Zero Trust has attracted a flux of investments within the security industry. As a result, dozens of companies have recently introduced Zero Trust offerings. Zero Trust is a modern way to design enterprise security, and its adoption could drive industry consolidation. However, no providers, not even the most powerful security platform vendors, can offer a complete suite of Zero Trust products by themselves. This is because in cybersecurity, good enough is not enough, and it's extremely risky to put all your eggs in one basket when building security infrastructure. A better way? Build deep, strategic relationships with a handful of security companies and implement best-of-breed products to guard against future cyber attacks. It's also a good idea to separate security providers from app providers to preserve an additional layer of protection.
Our security industry suffers from a lot of fragmentation, and we need to think more about collaboration. In doing so, we become technology enablers, allowing everyone and every organization to safely use any technology, anywhere. Collaboration becomes even more crucial in the Zero Trust era. We are seeing early explorations in sharing security signals, such as OpenID Foundation's Shared Signals and Events working group. We expect more joint effort across our security industry.
For more facets of Zero Trust, check out the Okta blog for our library of content around Zero Trust.