The Emergence of Post Covid-19 Zero Trust Security Architectures

Abstract

With a significant move to home working during the pandemic zero trust concepts have gained greater acceptance, and there was significant hype about the Zero Trust attributes of many security products. Indeed, every security company now claims to embrace Zero Trust. Many do so without stating which of their products or services contribute to a Zero Trust framework. This hype has raised awareness of the security issues associated with remote working, which obviously is a very positive acknowledgement that current security frameworks need to be improved to embrace the fast-growing use of technologies such as video conferencing, screen sharing and even Cloud identity management systems. Behind the scenes there has been significant developments: In February 2020 Weever and Andreou [3] published Zero Trust Network Security Model in containerized environments and examined containerised communications and Zero Trust implementations in depth, and how in software defined networks micro segmentation protects is managed by a network policy engine that can use a security sidecar module to shut down a network segment in the event of an attack being identified. In February and March 2020 two draft articles were published Implementing a Zero Trust Architecture and a NIST draft of a Zero Trust framework with a Policy Engine making policy decisions based on monitoring and threat intelligence. These draft documents show how NIST is distilling the theory into a standard architecture for Zero Trust implementations. This is a milestone in the Zero Trust story as this will lead to a common approach that will allow corporations to be able to align their strategies with a recognised Zero Trust framework. In April Malhotra [9] made the argument how the USA should take the Lead in Data Protection by using Zero Trust Architectures and Penetration Testing. This is an interesting argument as with a blurred network perimeter, the penetration tester no longer has a single point of entry to the network to test an organisation and a Penetration Testers job nowadays is more to do with testing an organisations resilience to phishing emails and social engineering than trying to exploit communication port vulnerabilities that might exist on external IP addresses at perimeter firewalls.