Researcher John Kindervag published a paper about a decade ago that argued administrators of sensitive computer networks shouldn’t trust anyone on their networks, regardless of their title.
It’s not good enough simply to try to keep bad guys out of your network, he argued. You also have to put strict limits on the people already inside, thus the shorthand for the security model: “zero trust.”
“People told me I was crazy,” Kindervag said of the 2010 report. But the cybersecurity approach has slowly gained followers over the years, as government agencies and private businesses have been continually pummeled by computer hacks.
Now, in the wake of two massive cyber-attacks that exposed glaring deficiencies in U.S. defenses, government officials and cybersecurity practitioners are saying zero trust may be the way to stop the cyber mayhem. In February, the National Security Agency issued guidance urging the owners of networks related to national security and critical infrastructure to adopt zero trust.
In many existing computer networks, once an individual has logged into the system, they can move freely and access information without further verification. It’s what some cybersecurity experts describe as a “castle and moat” approach, protecting perimeter security by investing in firewalls, proxy servers and other intrusion prevention tools and assuming activity inside the castle walls is mostly safe.
Zero trust takes a different approach, assuming that anyone that logs on is suspicious and preventing them from moving freely through the system — such as accessing the other devices and networks connected to it — without authenticating their credentials for each additional connection.
In other words, zero trust “reduces or prevents lateral movement and privilege escalation,” said George Kurtz, the chief executive officer of the cybersecurity firm Crowdstrike Holdings, speaking at a February congressional hearing.
The embrace of zero trust has occurred in part because of U.S. failures to prevent major breaches linked to Russia and China. For example, following the 2015 revelation that Chinese hackers had breached the U.S. Office of Personnel Management, stealing sensitive security clearance…