Before Zero Trust security existed, companies had to take utmost care to ensure that only trusted users were allowed to access the corporate network. Although the term “Zero Trust” was popularized by John Kindervag, it was originally coined by Stephen Paul Marsh in 1994. Kindervag was an analyst with Forrester at that time when he had recognized the potential of this technology, and the world started to take notice.
However, it was Marsh who had first introduced the “Zero Trust” concept. His take on trust in the realm of IT system administration was that it could be mathematically modeled and constructed. According to him, it was more than a mere human phenomenon or confrontation. “Trust” (as per Marsh) was much more than human ethos, laws, judgment, and justice.
The Zero Trust Security model evolution
The modern history of Zero Trust took roots in 2003 when the Jericho Forum highlighted the problems associated with demarcating organizational boundaries for IT systems. The Jericho Forum actively researched and promoted a concept called ‘de-parameterization.’
Google was one of the first companies to take the cue from the potentialities of the Zero Trust architecture. The initiative was called BeyondCorp, and in 2009, Google implemented a de-parameterized framework based on the Zero Trust Architecture.
Kindervag, at this time, was actively engaging with IT communities, popularizing the Zero Trust approach. But things did not happen overnight. It took more than ten years for most organizations to slowly start implementing zero trust architectures. More of this was driven due to the proliferation of cloud and mobile technologies.
The birth of a new critical technology
While the history of Zero Trust provided a contextual foundation for the technology itself, the actual shaping took place only later. The crystallization of this technology was in 2014 when a Swiss security IT engineer designed a Zero Trust Network. The network was based on firewall-based circuits to protect any client from malware. The Swiss Federal Institute of Intellectual Property received the manuscript of this architectural style, which was called the Untrust-Untrust type of network. The manuscript was subsequently published in 2015.
The evolution of Zero Trust security started to prompt national security agencies such as the National Cyber Security Centre and the UK National Technical Authority to start recommending this architecture by 2019. By the close of 2020, major platform solution vendors, cloud service providers, and cyber security providers made zero trust part of their architectures. Because of the increased usage of Zero Trust and varying architectures in place, the NIST and NCSC were tasked with standardizing the implementation of this technology.
What are the key standardization points proposed by NCSC and NIST?
As part of the evolution of Zero Trust security, the work of NCSC and NIST on the Zero Trust Model led to the creation of a publication titled – Zero Trust Architecture. In this publication, Zero Trust is defined as a collection of principles that can be applied to network security. The key principles that were part of the standardization effort were identified on the following lines:
- User and machine authentication
- User identity – a single and strong source
- Additional context – device metrics, compliance, etc.
- Application authorization policies
- Application access control policies