For years, the principal goal in information security was to keep unauthorized parties out of a network. However, one problem with that mindset is that if people have the appropriate credentials, the system "trusts" them and grants access. But, hackers can get the credentials they need through illegal means, like brute-force attacks.
So, zero trust is a security strategy that's growing in popularity. It means that the system does not automatically trust anyone — even the people who are already inside the network. Instead, everyone, both from inside and outside of the network has to go through a verification process whenever they access resources.
The zero-trust model is becoming more popular because IT leaders realize it is not sufficient to assume the only bad actors exist outside the network. When a company begins from a position of never trusting someone without verifying them first, they could cut down on problems like employee mistakes that lead to data breaches or improper credentials.
Shane Barney serves as the Chief Information Security Officer and Chief of the Information Security Division at the Department of Homeland Security’s U.S. Citizenship and Immigration Services (USCIS). He recently spoke at a cybersecurity conference and asserted that cloud computing cannot happen without the notional ideas of zero trust.
He referred to the often-mentioned castle-and-moat analogy whereby IT security professionals focused on putting all their assets inside a boundary and guarding it. But, Barney pointed out that the concept of a perimeter does not exist in the cloud. He also mentioned how people who decide to go to the cloud are already operating in a "zero-trust world." Moreover, he said that more than 99% of USCIS systems use a single-sign-on approach.
He spoke of identity management as being essential while at the conference, too. Based on that, data centers may need to emphasize what identity management tools they have in place for employees of the data center. Zero trust offers predictable, consistent and reliable security. If data centers discuss their identity and access management (IAM) measures when appealing to clients, they could position themselves as more favorable choices.
In other news related to the government, zero trust and data centers, a program run by U.S. Cyber Command and the Defense Information Systems Agency (DISA) involves setting up a lab to explore how to enhance the Pentagon's approach to cybersecurity. Cybersecurity experts from the intelligence and defense communities will use the laboratory as a place to test new ways to protect military networks through better IAM practices and tools.
Besides looking at other IAM techniques, the people using the lab want to investigate continuous network monitoring options and how all the possibilities they come up with could be rolled out across the Pentagon. This news indicates that government-level IT authorities are no longer content with continuing to use security practices that may now be outdated. They want to see what else might better align with their security goals.
Data centers can take inspiration from this mindset and regularly see what other tools or technologies could help them maintain security at their data centers. Soon after the Capital One data breach in 2019, news broke that an anticipated contract between Amazon Web Services (AWS) and the Pentagon may not go ahead. AWS stored Capital One's information, and the hack caused government officials to reconsider.
AWS was the favorite to receive a $10 billion contract from the Pentagon. But the issue where one hacker got the data of millions of Capital One's customers could have caused a chilling effect. If data center providers adopt a model that puts security first and ideally uses the zero-trust approach, they could find it easier to win the confidence of potential customers.
Some companies are spotting the growing trend of zero-trust security and introducing cloud-based options that support it. For example, Aporteto has a policy management tool for Kubernetes multi-cluster and container environments that uses an application identity-based approach for verification rather than relying on IP addresses.
Also, this spring, Google revealed that it launched zero trust options to help enterprises improve IAM for G Suite content. Besides checking the person's identity, those possibilities evaluate the context of an individual's request.
Options like these mean that data centers don't need to delay if considering zero trust options for their infrastructure. However, using these kinds of tools likely requires a shift in mindset and practices. For example, analysts believe the change to the zero-trust model will make firewalls obsolete.
Additionally, it'll offer more flexibility that allows data center professionals to pinpoint resource usage or only provide resources for the people authorized to have them.
The examples here show that more professionals and organizations are at least getting interested in the zero-trust model. Some are adopting it or intending to do so soon.
IT professionals need to keep up with the evolution by understanding why zero trust and data centers go together well, and why the zero-trust model could help prevent breaches and improve security overall.
Kayla Matthews writes about data centers and big data for several industry publications, including The Data Center Journal, Data Center Frontier and insideBIGDATA. To read more posts from Kayla, you can follower her personal tech blog at ProductivityBytes.com.