Cybersecurity is in constant evolution. As the attack vectors change, so too the defenses. Over the years, maintaining cybersecurity has gone through several iterations, initially mimicking physical security, but eventually developing into a design that’s unique unto itself.
The simple beginnings of cybersecurity started with a blacklist, blocking all known malicious actors and attack vectors. However, as the threats grew and varied, keeping a centralized blacklist became too cumbersome. The next iteration was to instead keep a whitelist, allowing only specific personnel, ports, and protocol, through the proverbial walls of cybersecurity, and blocking all others. The failure here, though, was the assumption that once through the gates, the entity was considered “fully trusted” and could move about the castle unfettered. This had potential to have fallout worse than maintaining a blacklist, as now an attack could come from internal, crumbling the foundation from the inside out. Where does one go if even the trusted cannot be trusted?
Well, the next logical iteration is to move to “no trust”, which is the basis of the aptly named “Zero Trust Security Model”. The main concept of Zero Trust can be boiled down to the simple term of “never trust, always verify”, which means that no trust should be established as default, and that as an entity moves about the infrastructure, it must constantly verify its identity and need to be there.
The concept of Zero Trust is not new but, with the large migration of businesses to the Cloud and the workforce to the home due to the pandemic that began in 2020, cybersecurity was all but forced to evolve rapidly to confront this new digital landscape. The National Institute of Standards and Technology (NIST) published an article in August 2020 dedicated strictly to the Zero Trust Architecture (SP 800-207). Following suit, in May 2021, the Biden Administration issued an Executive Order to improve the nation’s cybersecurity posture, with heavy focus dedicated to Zero Trust and the implementation thereof.
Society’s interaction with technology is constantly changing, with the adoption of Zero Trust being just another step in the evolution of cybersecurity. To the end user, there will be slight changes to bolster security, but the positives far outweigh the negatives.
Written by Nicholas Mauer, AFSOC Cloud Security Analyst