With the continuous advancement of industrial digitalization and the “cloud migration” of enterprises, zero trust, as a new security concept, has become a key technology and general trend of global network security.
According to MarketsandMarkets, the market size of zero trust security will grow from $15.6 billion in 2019 to $38.6 billion in 2024, with a compound annual growth rate of 19.9% from 2019 to 2024.
In China, from the gradual implementation of zero-trust policies and standards, to the active deployment of Internet technology giants, the fiery market has become obvious. Industry insiders predict that zero trust is still in a period of expansion and will become a mainstream solution in the next 2-5 years.
Under the wind, is the future of zero trust clear?
What is Zero Trust?
As a security model defined by Forrester in 2010, “Zero Trust” is becoming the security strategy guide for the changing modern workplace.
As the National Institute of Standards and Technology (NIST) sums it up, Zero Trust is a set of “paradigms that shift defenses from static network-based perimeters to an evolving cybersecurity paradigm that focuses on users, assets, and resources.”
Simply put, “zero trust” means “trust nothing, verify everything”. It requires any user (internal or external to the company) to be authenticated and authorized before being granted access to systems, applications and data.
It is worth noting that “zero trust” is a philosophy, not a technology. There is no single product or solution that enables an enterprise to achieve “zero trust” on its own.
At present, the “SIM” (SDP, IAM and MSG) announced by the American National Standards Committee NIST in 2019 has become the industry-recognized three major technology paths to achieve zero trust.
Software Defined Frontier (SDP)
In SDP, the client first performs multi-factor authentication to authenticate the reliability of the device, etc. After passing, enter the user login stage. These two steps are the interaction between the client and the IT administrator, and do not involve access to specific services. After the authentication is passed, the client can establish a connection with the accessible service.
Identity and Access Management (IAM)
IAM has functions such as single sign-on, authentication management, policy-based centralized authorization, auditing, and dynamic authorization. It determines who has access, how to access it, what actions can be performed after access, etc.
Compared with traditional IAM, in addition to unified management, authentication and authorization of user identities, modern IAM also needs to realize dynamic risk perception and intelligent analysis based on big data and AI technology. and permission data, as well as environmental context data, to automatically generate authentication and authorization policies through risk models
Micro-isolation is a fine-grained and smaller network isolation technology that can meet the requirements for east-west traffic isolation in traditional environments, virtualized environments, hybrid cloud environments, and container environments. It is mainly used to prevent attackers from entering the enterprise data center network. Pan laterally.
The arrival of the zero trust tuyere
The acceleration of digital transformation and the continuous popularization of cloud computing have both promoted the rapid implementation of the “zero trust” concept.
The “zero trust” application scenario is not only remote office, but also SaaS operation security, big data center, cloud security platform, etc. are typical application scenarios.
Any enterprise network can be designed based on the principles of “Zero Trust”, and most organizations already have some elements of “Zero Trust” in their enterprise infrastructure or are in the process of implementing “Zero Trust” by implementing information security, resiliency policies and best practices. trust”.
At present, there are many participants in the “zero trust” market, and there are four main types of participants:
cloud giant: Google, Microsoft, as well as domestic giants such as Tencent Cloud and Alibaba Cloud, are the first to practice “zero trust” within enterprises and launch complete solutions;
Identity Security Company: Duo, OKTA, Centrify, Ping Identity launched an “identity-centric “zero trust” solution;
Comprehensive security vendor: Cisco, Akamai, Symantec, F5, as well as domestic AsiaInfo Security, Venus, Sangfor, Qi Anxin, etc., have launched “zero trust” solutions that focus on network implementation;
start-up security company: Vidder, Cryptzone, Zsclar, Illumio, as well as domestic start-up companies such as CoreShield.
In addition, mergers and acquisitions have become the main theme of the current “zero trust” market. Giant players such as Cisco, Palo Alto, Symantec, Unisys, and Proofpoint mostly achieve the depth of “zero trust” network access and the horizontal layout of their business through acquisitions.
It can be seen that “zero trust” has come to the forefront and has become a hot cybersecurity buzzword. But it has been 10 years since the concept of “zero trust” was born. Why is it breaking out now?
Specifically, the reason why the zero-trust security architecture has been able to rise rapidly in recent years has three advantages that cannot be ignored.
First, limit thinking. Zero trust security “trusts no one/thing/thing”, no matter what level or network it is in. The zero-trust enterprise business application system closes all ports by default, denies all internal and external access, and only dynamically opens ports to the IP of legitimate clients, so that any illegal scanning and attacks can be directly avoided.
Second, there is continuous thought. Zero trust access to the outside is not a one-time verification, but a continuous verification, and based on the results of verification and monitoring, trust assessment and permission adjustment will be performed on the access. This “continuous response” ensures that access is under control throughout the process.
Again, the idea of minimization. The idea of minimization or the principle of minimization can greatly reduce the attack surface of the attack while ensuring that the access is “sufficient”; on this basis, the method of micro-isolation can be used to avoid the scope of the attack to the greatest extent. and blocking the contagiousness of the attack.
This kind of leadership at the “ideological” level may be the most solid foundation on which the zero-trust security architecture will eventually subvert the traditional network security architecture.
How does zero trust work?
“Zero Trust” brings new excitement to network security, network delivery, and even the entire IT industry. A drastic change in the field of network security triggered by “zero trust” security is coming.
However, there is an undeniable fact under the circumstances:Domestically, the application of “zero trust” is still in the introduction stage.
Because its construction involves the influence of factors such as the substantial transformation of the existing network system of the enterprise, coupled with the ever-changing needs of business scenarios, it is determined that the large-scale implementation of “zero trust” cannot be achieved in a short period of time.
How to break the bottleneck of construction and go deep into the “zero trust” security practice has become a common problem facing digital enterprises.
Although at the beginning of the construction of a network system, taking “zero trust” as the original “gene” of the system is generally considered the most ideal construction method in the industry, but there is no single method and standard for the construction of a “zero trust” network security framework. The “zero trust” security practice does not mean “overthrow”, but the integration and superposition of identity-based fine-grained access control systems.
However, this “integration and superposition” is not a simple “patch” model, and may even touch the foundation of the enterprise’s original network security system, and a lot of manpower and cost investment are truly visible.
Therefore, the support of business leaders is particularly critical in this process. A comprehensive analysis of an enterprise’s existing network security needs is not only the key to clarifying the path to zero trust and formulating strategies, but also an effective way to successfully convince leaders.
Of course, as the specific implementers of the zero-trust security framework, whether the employees of the enterprise can realize the update of the way of thinking is also a factor that cannot be ignored for the zero-trust security system to play its due role.
Therefore, professional training and education around “zero trust” security senior experts have become an indispensable and important part of the enterprise zero trust implementation practice, and it is also an important part of maintaining the enterprise zero trust security architecture with long-term optimization mechanism, maintaining the advantages of dynamic and flexible characteristics the key.
In addition, under the general trend of market fragmentation and ecological decentralization in the zero trust industry, the development of zero trust urgently needs industry ecology to regulate and guide. Only by uniting more industry ecosystems to form a joint force, and working with ecological partners to establish corresponding security systems in corresponding scenarios and links, can the transformation of the network security system be truly realized.
In this process, as the provider of zero-trust security solutions and products, the driving force of security enterprises is obviously an important engine for the implementation of zero-trust security.
Only by continuously deepening the exploration and research of technical paths and solutions can security enterprises allow more enterprises to more accurately find the “zero trust secret recipe” that is most suitable for their own business scenarios.
In general, “all roads lead to Rome”, what an enterprise needs to do is to find the optimal path that is most suitable for its own business system based on the status quo of its traditional security system, identity, account number, authority control and audit management.
At the same time, it is necessary to unite multiple forces to jointly explore the best practice road of “zero trust”.
It is worth noting that the security industry has always been driven by compliance requirements and business needs. Enterprises’ business needs for “zero trust” have gradually become prominent. If strict and effective compliance requirements are added, even if the cost of reform is large, “zero trust” will be accelerated.
Entering 2021, the new network security system starting from “zero trust” may really come to fruition.