Computers, networks, software, data are now integral part of every business irrespective of their revenue and size. From a startup to a big billion organization, every business relies on computing systems to function with the pace of the modern world.
But with the evolution of IT and automation; a business critical problem of cybersecurity has arrived.
We all know how critical cybersecurity has become for every business. One single cyber attack is more than enough for any business to lose their credibility in the market and business.
Majority of organizations do not understand cybersecurity and they mostly rely on traditional cybersecurity such as firewalls, anti-virus etc.
But these traditional unplanned cybersecurity is not at all enough to counter the modern and ever growing cyber threats.
From full trust networks back in 1971 to zero trust network today in 2020, cybersecurity has been changed a lot.
This article talks about the evolution of cybersecurity, how the network centric, perimeter-based cybersecurity is no more sufficient to counter the cyber threats and zero trust networks has become the need of the day to counter the cyber threats.
Full Trust Network
Let’s go back to the very early days of computer networking. The initial prototype of the network was introduced by ARPANET.
Back then cybersecurity was not even a word. The only security was the physical security of computing devices and server rooms.
ARPANET was a group of selected researchers, universities, government bodies; trust was implicit. In fact the very first computer virus was a prank.
Back in 1971 computer engineer Bob Thomas developed a program named Creeper Virus. It was a harmless computer program that jumped from computer to computer using a network and displayed a message “I’m the creeper, catch me if you can!.”
After 15 years of this incident cybersecurity was first recognized by the industry back in 1986.
In 1986 Markus Hess, a German hacker was caught breaking into 400+ military computers to sell information to USSR’s intelligence agency KGB.
After that the US government passed the Computer Fraud and Abuse Act to recognize cyber crime.
The infamous Morris Worm was the first cyber crime to be prosecuted under the new Computer Fraud and Abuse Act back in 1988 and in the same year the very first network packet filter firewall was introduced by Digital Equipment Corp.
Partial Trust Networks
The Internet was introduced back in 1980 and devices were now connected to the internet and this gave birth to the idea of “Us” vs “Them”.
The concept of LANs and WANs were introduced. LANs were connected to a limited area such as offices, schools, universities etc – whereas WANs were for large geographic areas.
In order to protect organizational critical data this became the industry norm to differentiate between “Us” and “Them”.
The solution was a firewall. A firewall could filter the network traffic originating outside the trusted organizational network.
Creating a wall between the public internet and the organizational internet.
This perimeter operating model became the industry standard to counter the cybersecurity challenges.
This traditional framework is also known as the castle-and-moat model of network security.
The evolution of the protected network
Network packet firewalls were there to protect and tightly control networks.
All traffic could be traced back and can be marked as inside or outside traffic.
But this has changed as the workforce moved outside the traditional office premises. While on a business trip, remote connectivity to the office required and with this the evolution of VPNs, state-full firewalls, encryption, multi-factor authentication started.
Incomplete security within the network
The castle-and-moat model ensures cyber defenses against external threats but no defense against the insider threats.
Those who have the access to the internal network or gained the internal access by stealing credentials or with the help of any internal resource could move within the organizational network and was able to perform tasks.
Cybersecurity professionals came up with the idea of network segmentation to deal with this problem.
Distributed systems communicating over the web
Organizations had tight control over what entered through the gateways but by 2000, the perimeter had expanded rapidly.
Employees had workstations, mobile devices and laptops/PCs in their homes. SaaS emerged and software grew more.
Amazon came up with AWS and software defined networking became the new default and traditional LANs disappear.
This has created the vast cyber attack surface and work from home or remote working has created new challenges in front of cybersecurity professionals.
The traditional castle-and-moat model of cybersecurity is no more able to combat the modern cyber threats.
Evolution of Zero Trust Networks
Members of the 2004 Jericho Forum concluded that perimeter security was illusory, more like a picket fence than a wall.
Six years later John Kindervag coined the term Zero Trust Network during his tenure as VP at Forrester Research.
The basic presupposition of Zero Trust Network is that a network, public or private, is never secure.
The focus of Zero Trust Model is on strict identity verification of each person and device trying to access resources on the private network. Regardless of whether they are sitting within or outside the network perimeter.
No single technology is associated with zero trust architecture; It’s a holistic approach to cybersecurity that incorporates several different principles and technologies.
One of the most well-known implementations of Zero Trust Security is Google’s BeyondCorp Initiative, which was released back in 2014.
With BeyondCorp Initiative Google’s goal was to allow employees to work efficiently on any network without the use of VPNs.
Implementing Zero Trust Security
Zero Trust Security Architecture is build on top of 3 core principles :
Zero Trust = Authentication + Authorization + Encryption
- Authenticate both users and machines.
- Authorize continuously in accordance with the Principle of Least Privilege
- Encrypt all network traffic, regardless of origin
We will come up with a detailed blog on Zero Trust Security and how you can implement it into your organization and how zero trust security will help you combating the modern cyber threats and help you with compliance such as GDPR, PCI DSS etc.
Thank you for reading