What is a zero trust network?
Traditionally networks were built for the purpose of communication and collaboration. Due to the increasing cyber threat and the ability of criminals to exploit this openness it has grown increasingly necessary that the networks be restricted to only the communications that are necessary for business to occur. This has led to the idea of “zero trust” networks.
New networks and cloud networks (especially regulated clouds like Azure and AWS government clouds) are built with the idea of zero trust, meaning that by default no communications are allowed, every communication must be allowed by exception. If you think about it, why is it that by default PC or laptop 1 can have unfettered access to PC or laptop 2? Unless there is truly a need for access, the only use it has is for a cyber criminal (or pen tester) to move laterally around the network. Zero trust networks prevent that sort of lateral communication by default. They also do not allow broadcasts which means the administrator has to define all communication paths. This makes it difficult for the bad actor to perform enumeration and or reconnaissance.
Are there any downsides?
One issue that can arise with the zero trust model comes from compliance. Many tools required for meeting compliance mandates require the ability to scan or enumerate the network. In most cases this can be allowed, but of course that becomes an attack vector that needs to be dealt with and mitigated in some way.
There is more overhead to managing a zero trust network, but you can look it as there is more difficulty in having to both unlock a door and turn off an alarm as opposed to just walking in an open door. It’s a worthwhile venture.
Zero trust networks are the future of cybersecurity so if you are an IT professional, compliance officer, or in any other fashion involved in day to day operations of networks it would help you and your organization to start accepting and embracing the future now.