Zero Trust: a new and important paradigm in network connectivity

By Steven Puddephatt, Technical Architect at GlobalDots

Zero trust.  So, what is it all about?

Well, for once it’s not just a new buzz word thrown out by Silicon Valley types, it’s actually a new and important paradigm in network connectivity. 

But before we get into what it means, it’s important to understand why it’s important and how we got here. So please let me take you on a little trip down memory lane and I promise it’ll all make sense.

Many years ago, when computer networks were first born, security wasn’t such an issue.  Computers weren’t really networked outside of an organisation and if you wanted to use a mainframe (there’s a term that sounds archaic these days) then you generally had to be in the same building as the server.  So risk was quite low and unless your employees were planning an ‘inside job’ you were pretty safe.

Time moved on and internet connectivity became the norm.  Suddenly, there was a great need to make your internal IT systems available to remote workers.  The VPN was born, which essentially created a secure tunnel through the internet in order to make it seem like you were in the office. 

And this paradigm has pretty much been the norm until recent years. The problem with this method of remote connection is that it’s a bit of a ‘one size fits all’ approach.  So a developer that needs access to dev resources ends up being given the same VPN as the person in payroll or finance.

Although VPNs can be configured to restrict access across a network, it’s rarely configured as such (I speak from experience as both administrator and user on that front).  The reason for this is that it’s typically very complicated to do so and usually involves knowledge of how to set it up on a physical rack unit (Cisco, Checkpoint,F5 etc.). So you generally end up with all users having all network access. Less than ideal.

The other paradigm shift has come in the form of SaaS applications.  Whereby you don’t host the service yourself, but rather use the vendors internet hosted platform.  Examples of this would be Office 365, salesforce, gmail and about a million other applications. This has created a whole new problem for system admins as these services are open to the world and can be logged in to from anywhere (not even needing a VPN).

So now we’ve got Wild West VPNs and people consuming SaaS services wherever they like.  Keeping tabs on everything in this new world is nothing short of a nightmare. Thankfully, there are solutions at hand. 

Google was one of the first to solve this with their ‘beyond corp’ approach. Just FYI ‘beyond corp’ is another way of saying ‘zero trust’.  In this new world, rather than giving you VPN access to resources and assuming you have privilege, every request you make is treated as if you’re unknown and not trusted. 

In this landscape, you don’t even connect into resources, but rather they are published to you as available applications. Think of it a bit like a jump portal. Every user logs into the portal and, based on your unique set of privileges, you are displayed the apps that you are allowed to connect to. 

So the finance employee can see a link to the payroll system, but a developer cannot. This way of publishing your apps to a portal, or jump cloud, means that there is no need to allow anyone direct access onto the network – all traffic is vetted and funnelled to the back-end applications via the portal.  Then, if user access is revoked, they can’t get onto the portal and they can’t access resources.

SaaS applications can also be protected in this way, by making your portal a proxy to the application.  In this setup you make the SaaS application accessible only if the request has first been through your portal.  You’re not restricting access to these applications, you’re just adding a hoop to jump through first, to prove you are who you say you are.  And really, that’s what all this is about – are you who you say you are?

Indeed, with all these various systems to login to and with users typically recycling passwords, the edge of your network has never been more vulnerable.  By creating a kind of electronic ‘sheep dip’ through which all of your applications are accessed, you’re making sure that the connections are valid. Add to these tools Multi Factor Authentication and you’re well on your way to having a very open, flexible and secure network perimeter.

Large organisations are already well under way with these projects and the VPN will eventually become a relic of the past, along with the mainframe.