{"id":2151,"date":"2022-06-07T15:41:58","date_gmt":"2022-06-07T15:41:58","guid":{"rendered":"https:\/\/salarydistribution.com\/machine-learning\/2022\/06\/07\/what-is-zero-trust\/"},"modified":"2022-06-07T15:41:58","modified_gmt":"2022-06-07T15:41:58","slug":"what-is-zero-trust","status":"publish","type":"post","link":"https:\/\/salarydistribution.com\/machine-learning\/2022\/06\/07\/what-is-zero-trust\/","title":{"rendered":"What Is Zero Trust?"},"content":{"rendered":"<div data-url=\"https:\/\/blogs.nvidia.com\/blog\/2022\/06\/07\/what-is-zero-trust\/\" data-title=\"What Is Zero Trust?\" data-hashtags=\"\">\n<p>For all its sophistication, the Internet age has brought on a digital plague of security breaches. The steady drumbeat of data and identity thefts spawned a new movement and a modern mantra that\u2019s even been the subject of a U.S. presidential mandate \u2014 zero trust.<\/p>\n<h2><b>So, What Is Zero Trust?<\/b><\/h2>\n<p>Zero trust is a cybersecurity strategy for verifying every user, device, application and transaction in the belief that no user or process should be trusted.<\/p>\n<p>That definition comes from the <a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/publications\/Final%20Draft%20NSTAC%20Report%20to%20the%20President%20on%20Zero%20Trust%20and%20Trusted%20Identity%20Management.pdf\">NSTAC report<\/a>, a 56-page document on zero trust compiled in 2021 by the U.S. National Security Telecommunications Advisory Committee, a group that included dozens of security experts led by a former AT&amp;T CEO.<\/p>\n<p>In an interview, John Kindervag, the former Forrester Research analyst who created the term, noted that he defines it this way in his <a href=\"https:\/\/www.dropbox.com\/scl\/fi\/inxxaw6lzzqmtq34q9zhc\/Zero-Trust-Dictionary-v2-for-CTI-v1.docx?dl=0&amp;rlkey=yyu612ibe7ayq59nor6qmgfto\">Zero Trust Dictionary<\/a>: Zero trust is a strategic initiative that helps prevent data breaches by eliminating digital trust in a way that can be deployed using off-the-shelf technologies that will improve over time.<\/p>\n<h2><b>What Are the Basic Tenets of Zero Trust?<\/b><\/h2>\n<p>In his <a href=\"https:\/\/media.paloaltonetworks.com\/documents\/Forrester-No-More-Chewy-Centers.pdf\">2010 report<\/a> that coined the term, Kindervag laid out three basic tenets of zero trust. Because all network traffic should be untrusted, he said users must:<\/p>\n<ul>\n<li>verify and secure all resources,<\/li>\n<li>limit and strictly enforce access control, and<\/li>\n<li>inspect and log all network traffic.<\/li>\n<\/ul>\n<p>That\u2019s why zero trust is sometimes known by the motto, \u201cNever Trust, Always Verify.\u201d<\/p>\n<h2><b>How Do You Implement Zero Trust?<\/b><\/h2>\n<p>As the definitions suggest, zero trust is not a single technique or product, but a set of principles for a modern security policy.<\/p>\n<p>In its seminal <a href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-207\/final\">2020 report<\/a>, the U.S. National Institute for Standards and Technology (NIST) detailed guidelines for implementing zero trust.<\/p>\n<p><a href=\"https:\/\/blogs.nvidia.com\/wp-content\/uploads\/2022\/06\/ZT-NIST-diagram.jpg\"><\/p>\n<p><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/blogs.nvidia.com\/wp-content\/uploads\/2022\/06\/ZT-NIST-diagram-672x246.jpg\" alt=\"Zero Trust architecture from NIST\" width=\"672\" height=\"246\"><\/p>\n<p><\/a><\/p>\n<p>Its general approach is described in the chart above. It uses a security information and event management (SIEM) system to collect data and continuous diagnostics and mitigation (CDM) to analyze it and respond to insights and events it uncovers.<\/p>\n<p>It\u2019s an example of a security plan also called a zero trust architecture (ZTA) that creates a more secure network called a zero trust environment.<\/p>\n<p>But one size doesn\u2019t fit all in zero trust. There\u2019s no \u201csingle deployment plan for ZTA [because each] enterprise will have unique use cases and data assets,\u201d the NIST report said.<\/p>\n<h2><b>Five Steps to Zero Trust<\/b><\/h2>\n<p>The job of deploying zero trust can be boiled down to five main steps.<\/p>\n<p>It starts by defining a so-called protect surface, what users want to secure. A protect surface can span systems inside a company\u2019s offices, the cloud and the edge.<\/p>\n<p>From there, users create a map of the transactions that typically flow across their networks and a zero trust architecture to protect them. Then they establish security policies for the network.<\/p>\n<p>Finally, they monitor network traffic to make sure transactions stay within the policies.<\/p>\n<p><a href=\"https:\/\/blogs.nvidia.com\/wp-content\/uploads\/2022\/06\/ZT-process-NSTAC-report.jpg\"><\/p>\n<p><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/blogs.nvidia.com\/wp-content\/uploads\/2022\/06\/ZT-process-NSTAC-report-672x179.jpg\" alt=\"Five step process for zero trust\" width=\"672\" height=\"179\"><\/p>\n<p><\/a><\/p>\n<p>Both the NSTAC report (above) and Kindervag suggest these same steps to create a zero trust environment.<\/p>\n<p>It\u2019s important to note that zero trust is a journey not a destination. Consultants and government agencies recommend users adopt a zero trust maturity model to document an organization\u2019s security improvements over time.<\/p>\n<p>The Cybersecurity Infrastructure Security Agency, part of the U.S. Department of Homeland Security, described one such model (see chart below) in <a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/publications\/CISA%20Zero%20Trust%20Maturity%20Model_Draft.pdf\">a 2021 document<\/a>.<\/p>\n<p><a href=\"https:\/\/blogs.nvidia.com\/wp-content\/uploads\/2022\/06\/ZT-Maturity-Model-CISA.jpg\"><\/p>\n<p><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/blogs.nvidia.com\/wp-content\/uploads\/2022\/06\/ZT-Maturity-Model-CISA-548x500.jpg\" alt=\"Zero Trust maturity model from CISA\" width=\"548\" height=\"500\"><\/p>\n<p><\/a><\/p>\n<p>In practice, users in zero trust environments request access to each protected resource separately. They typically use multi-factor authentication (MFA) such as providing a password on a computer, then a code sent to a smartphone.<\/p>\n<p>The NIST report lists ingredients for an algorithm (below) that determines whether or not a user gets access to a resource.<\/p>\n<p><a href=\"https:\/\/blogs.nvidia.com\/wp-content\/uploads\/2022\/06\/ZT-NIST2.jpg\"><\/p>\n<p><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/blogs.nvidia.com\/wp-content\/uploads\/2022\/06\/ZT-NIST2-672x463.jpg\" alt=\"NIST algorithm for zero trust access\" width=\"672\" height=\"463\"><\/p>\n<p><\/a><\/p>\n<p>\u201cIdeally, a trust algorithm should be contextual, but this may not always be possible,\u201d given a company\u2019s resources, it said.<\/p>\n<p>Some argue the quest for an algorithm to measure trustworthiness is counter to the philosophy of zero trust. Others note that machine learning has much to offer here, capturing context across many events on a network to help make sound decisions on access.<\/p>\n<h2><b>The Big Bang of Zero Trust<\/b><\/h2>\n<p>In May 2021, President Joe Biden released <a href=\"https:\/\/www.whitehouse.gov\/briefing-room\/presidential-actions\/2021\/05\/12\/executive-order-on-improving-the-nations-cybersecurity\/\">an executive order<\/a> mandating zero trust for the government\u2019s computing systems.<\/p>\n<p>The order gave federal agencies 60 days to adopt zero trust architectures based on the NIST recommendations. It also called for a playbook on dealing with security breaches, a safety board to review major incidents \u2014 even a program to establish cybersecurity warning labels for some consumer products.<\/p>\n<p>It was a big bang moment for zero trust that\u2019s still echoing around the globe.<\/p>\n<p>\u201cThe likely effect this had on advancing zero trust conversations within boardrooms and among information security teams cannot be overstated,\u201d the NSTAC report said.<\/p>\n<h2><b>What\u2019s the History of Zero Trust?<\/b><\/h2>\n<p>Around 2003, ideas that led to zero trust started bubbling up inside the U.S. Department of Defense, leading to <a href=\"https:\/\/www.acqnotes.com\/Attachments\/DoD%20GIG%20Architectural%20Vision,%20June%2007.pdf\">a 2007 report<\/a>. About the same time, an informal group of industry security experts called the Jericho Forum coined the term \u201cde-perimeterisation.\u201d<\/p>\n<p>Kindervag crystalized the concept and gave it a name in his bombshell <a href=\"https:\/\/media.paloaltonetworks.com\/documents\/Forrester-No-More-Chewy-Centers.pdf\">September 2010 report<\/a>.<\/p>\n<p>The industry\u2019s focus on building a moat around organizations with firewalls and intrusion detection systems was wrongheaded, he argued. Bad actors and inscrutable data packets were already inside organizations, threats that demanded a radically new approach.<\/p>\n<h2><b>Security Goes Beyond Firewalls<\/b><\/h2>\n<p>From his early days installing firewalls, \u201cI realized our trust model was a problem,\u201d he said in an interview. \u201cWe took a human concept into the digital world, and it was just silly.\u201d<\/p>\n<p>At Forrester, he was tasked with finding out why cybersecurity wasn\u2019t working. In 2008, he started using the term zero trust in talks describing his research.<\/p>\n<p>After some early resistance, users started embracing the concept.<\/p>\n<p>\u201cSomeone once told me zero trust would become my entire job. I didn\u2019t believe him, but he was right,\u201d said Kindervag, who, in various industry roles, has helped hundreds of organizations build zero trust environments.<\/p>\n<h2><b>An Expanding Zero Trust Ecosystem<\/b><\/h2>\n<p>Indeed, Gartner projects that by 2025 at least 70% of new remote access deployments will use what it calls zero trust network access (ZTNA), up from less than 10% at the end of 2021. (Gartner, <i>Emerging Technologies: Adoption Growth Insights for Zero Trust Network Access<\/i>, G00764424, April 2022)<\/p>\n<p>That\u2019s in part because the COVID lockdown accelerated corporate plans to boost security for remote workers. And many firewall vendors now include ZTNA capabilities in their products.<\/p>\n<p>Market watchers estimate at least 50 vendors from Appgate to Zscaler now offer security products aligned with the zero trust concepts.<\/p>\n<h2><b>AI Automates Zero Trust<\/b><\/h2>\n<p>Users in some zero trust environments express frustration with repeated requests for multi-factor authentication. It\u2019s a challenge that some experts see as an opportunity for automation with machine learning.<\/p>\n<p>For example, Gartner suggests applying analytics in an approach it calls continuous adaptive trust. CAT (see chart below) can use contextual data \u2014 such as device identity, network identity and geolocation \u2014 as a kind of digital reality check to help authenticate users.<\/p>\n<figure id=\"attachment_57508\" aria-describedby=\"caption-attachment-57508\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/blogs.nvidia.com\/wp-content\/uploads\/2022\/06\/ZT-Gartner-CAT.jpg\"><\/p>\n<p><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/blogs.nvidia.com\/wp-content\/uploads\/2022\/06\/ZT-Gartner-CAT-672x443.jpg\" alt=\"Gartner on MFA to CAT for zero trust journey\" width=\"672\" height=\"443\"><\/p>\n<p><\/a><figcaption id=\"caption-attachment-57508\" class=\"wp-caption-text\">Gartner lays out zero trust security steps. Source: Gartner, Shift Focus From MFA to Continuous Adaptive Trust, G00745072, December 2021.<\/figcaption><\/figure>\n<p>In fact, networks are full of data that AI can sift in real time to automatically enhance security.<\/p>\n<p>\u201cWe do not collect, maintain and observe even half the network data we could, but there\u2019s intelligence in that data that will form a holistic picture of a network\u2019s security,\u201d said Bartley Richardson, senior manager of AI infrastructure and cybersecurity engineering at NVIDIA.<\/p>\n<p>Human operators can\u2019t track all the data a network spawns or set policies for all possible events. But they can apply AI to scour data for suspicious activity, then respond fast.<\/p>\n<p>\u201cWe want to give companies the tools to build and automate robust zero trust environments with defenses that live throughout the fabric of their data centers,\u201d said Richardson, who leads development on <a href=\"https:\/\/developer.nvidia.com\/morpheus-cybersecurity\">NVIDIA Morpheus<\/a>, an open AI cybersecurity framework.<\/p>\n<p><a href=\"https:\/\/blogs.nvidia.com\/wp-content\/uploads\/2022\/06\/Morpheus-architecture.jpg\"><\/p>\n<p><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/blogs.nvidia.com\/wp-content\/uploads\/2022\/06\/Morpheus-architecture-672x399.jpg\" alt=\"NVIDIA Morpheus for zero trust\" width=\"672\" height=\"399\"><\/p>\n<p><\/a><\/p>\n<p>NVIDIA provides pretrained AI models for Morpheus, or users can choose a model from a third party or build one themselves.<\/p>\n<p>\u201cThe backend engineering and pipeline work is hard, but we have expertise in that, and we can architect it for you,\u201d he said.<\/p>\n<p>It\u2019s the kind of capability experts like Kindervag see as part of the future for zero trust.<\/p>\n<p>\u201cManual response by security analysts is too difficult and ineffective,\u201d he wrote in <a href=\"http:\/\/docs.media.bitpipe.com\/io_12x\/io_123020\/item_1128127\/Forrester_Rules_of_Engagement_A_Cal.pdf\">a 2014 report<\/a>. \u201cThe maturity of systems is such that a valuable and reliable level of automation is now achievable.\u201d<\/p>\n<p>To learn more about AI and zero trust, read <a href=\"https:\/\/blogs.nvidia.com\/blog\/2021\/11\/09\/zero-trust-cybersecurity\/\">this blog<\/a> or watch the video below.<\/p>\n<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>https:\/\/blogs.nvidia.com\/blog\/2022\/06\/07\/what-is-zero-trust\/<\/p>\n","protected":false},"author":0,"featured_media":2152,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"_links":{"self":[{"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/posts\/2151"}],"collection":[{"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/comments?post=2151"}],"version-history":[{"count":0,"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/posts\/2151\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/media\/2152"}],"wp:attachment":[{"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/media?parent=2151"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/categories?post=2151"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/tags?post=2151"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}