If you have seen the term “zero trust” bandied about in recent discussions about workplace security, you could have been tempted to assume that it must refer to a security solution or product. However, “zero trust” essentially refers instead to a fundamental shift in how companies implement their cybersecurity.

This point is attested by Forrester Research in an article for ZDNet, where zero trust is described as a security framework built on the attitude of “never trust, always verify” and “assuming breach”. So, how can you unpack the concept of zero trust – and could adopting zero trust bode well for your business?

What is the history of zero trust?

The zero trust concept can be traced back to 2010, when it was created as the Zero Trust Network – or Zero Trust Architecture – model by John Kindervag, at that time a principal analyst at Forrester. Since then, zero trust technologies have become more mainstream as more executives have taken them up.

“If I have 20 calls, 17 are about zero trust. CISOs, CIOs and CEOs are all interested, and companies of various sizes are interested,” Chase Cunningham, then a Forrester-employed principal analyst, told CSO in 2018. By that time, worldwide expenditure on IT products and services had reached $86.4 billion in 2017, and 7% higher than the equivalent figure of the year before – but the law of diminishing returns was kicking in…

Why the traditional castle-and-moat approach no longer works

Traditionally, many organizations secured themselves on the assumption that the only threats lay outside their perimeters – the “moat”, it could be said. However, as cybersecurity experts have noted, many data breaches have occurred as a result of hackers being permitted free rein once inside a company’s “castle”.

“One of the inherent problems we have in IT is we let too many things run way too openly with too many default connections. We essentially trust way too much,” Cunningham has despaired, warning: “If you trust everything, then you don’t have a chance of changing anything security-wise.”

One simple reason why organizations today should urgently heed these words is that the “castle” no longer strictly exists, or at least not in the same isolated form as before.

Whereas that “castle” might once have been a data center housing various pieces of hardware, now, it’s more typical for companies to host some of their applications on-site and others in the cloud, where employees can access them through various devices and from multiple geographic locations.

How should you go about implementing zero trust? 

“Many companies are moving to cloud and, thus, green field environments. Those are the perfect places to go to zero trust. That’s where you start your zero trust journey,” Cunningham has explained, adding that many organizations reliant on legacy systems should see their own move to zero trust as a long-term transition.

They could consider a cloud-based solution like Wandera’s Zero Trust Network Access tool, which would use identity-centric security to let employees connect only to those business applications they have specific permission to access.