Zero Trust: the new post-pandemic challenge

The pandemic has inflicted a major leap forward in the development of remote working and the Zero Trust framework represents a new challenge for network architects. This model goes hand in hand with the idea of de-perimiterisation , a term coined in 2003 that expresses the absence of company perimeters. In fact, already in those years new security problems were beginning to be identified dictated by the fact that corporate devices could be taken outside the company boundaries . In this way, ensuring the security of mobile phones and laptops in particular would have become much more complex.

Background: from the 90s to today

The last 30 years have revolutionized the concepts of computer networks and security. In the 1990s, ensuring the protection of a company was complex but at the same time easily definable. The boundary between what was outside and what was inside the company was clear, and inside, typically, there was a client-server structure. The terminals, therefore, were considered safe also because there was no possibility of access except from the inside.

Something started to change with the widespread use of laptops which revolutionized the idea of ​​access control. For example, access based on IP or MAC address (valid if the station was fixed and always connected to the same network cable) could no longer be applied. In fact, with laptops it was possible to move from one floor to another in a building or even between different buildings. Access, however, had to be guaranteed in each case by changing the strategy to be used.

But the biggest revolution occurred with smartphones that have cleared customs for the use of corporate tools on devices not properly designed for this. Furthermore, the smartphone can be accessed from anywhere and at any time, nullifying the very idea of ​​a company perimeter. This is why it is important to rethink how to guarantee access to systems and transfer the concept of security to the final device . In fact, in the past, the infrastructure was protected but with less attention to the terminals, leaving security on large systems.

Smartphones and other mobile devices have created new security problems and forced companies to rethink corporate network models.

Zero trust: the challenge of the new network without perimeters

Having said that, we are able to introduce the concept of the Zero Trust architectural model. The architecture was proposed by NIST around 2018 even if in reality it is the set of many other technologies and ideas already present in the past. In order to implement it, it is necessary to start from three main assumptions:

  • The network has now become the home office
  • Traditional security technologies cannot be applied
  • Mobile devices cannot be trusted.

With these principles we can expand the corporate network (now without perimeters) with new devices and the Bring Your Own Device (BYOD) technique . This approach allows users to use their personal device to use corporate services and resources. However, there is a new problem, as we mentioned earlier, which is the need to reinforce and ensure safety directly in the final device.

The Zero Trust model where external devices (BYOD) can access company services with the minimum of possible permissions (Source: NCSC).

An approach in line with what has been described is also the one proposed by NCSC which identifies further elements to guarantee the principles underlying the Zero Trust model:

  • A single central repository from which to retrieve information on the identity of users;
  • User-based authentication (and not IP-based for example);
  • Machine authentication, to make sure that access is taking place from an authorized device;
  • Authorization based on additional data such as location, device security, service or workload;
  • Authorization policies for the use of applications (so as to restrict use to those that are really necessary);
  • Access control policies even within the same application.

Surely the Zero Trust approach revolutionizes the concept of corporate network and how to connect to it. However, as complex as it may be, it will most likely represent a turning point in the near future.

The Zero Trust article : the new post-pandemic challenge comes from Tech CuE | Close-up Engineering .