For decades, access to corporate digital resources was restricted only by perimeter protection technologies such as firewalls and intrusion detection systems, and by passwords for user authentication.\nPasswords soon proved inadequate to prevent unauthorised access and two factor authentication (2FA), such as tokens or one-time codes sent in a text message, was introduced. 2FA greatly increased security, but still suffered from a fundamental weakness: it was typically only used to secure the perimeter. Once the accessing agent passed the authentication, it was trusted and granted unlimited access to the protected resources.\nPerimeter security, when accessed via 2FA, can be adequate when the perimeter is limited and clearly defined. But today, resources are spread across in-house data centres, public and private cloud.\nIt is much more difficult to define and protect the perimeter in that environment. This is leading many organisations to adopt a zero trust mindset, pursue the principles of zero trust, and then implement solutions accordingly to secure their \u00a0assets.\nWith zero trust every attempted access is subject to strong authentication, the accessing device is checked for authority to access and, most importantly, once these tests are passed that user, (and that device) can access only resources previously specified.\nRSA offers multiple tools that provide and support zero trust security.\nRSA\u2019s SecurID Suite combines multi-factor authentication with access management and identity governance; and RSA NetWitness is a security information and event management (SIEM) solution that spans all IT environments: cloud, on premises and virtual.\nZERO TRUST AND WHY IT IS NEEDED\nThe limits of perimeter security\nIn today\u2019s world where resources are spread across multiple locations it would be impracticable to apply perimeter controls to each individual resource. Applying a consistent policy across environments supported by multiple vendors is even more challenging.\nAnd in today\u2019s virtualised data centre environment, where the majority of traffic is east-west and workloads move between different environments, the idea of a secure perimeter is becoming obsolete.\nFinally, perimeter security can offer no protection against a threat that originates within the secure perimeter such as an insider gone rogue.\nMeet zero trust \nThe term zero trust was coined by Forrester in 2010 is based on the premise that nothing is inherently safe, and everything must be continuously verified. \u201cTrust nothing. Verify everything.\u201d\nZero trust leverages different access control, data protection and data governance technologies, principally:\n- multifactor authentication for robust verification of user identity;\n- access device identification and verification;\n- encryption;\n- access policy enforcement;\n- Security Information and Event Management and threat intelligence to continuously monitor the zero trust protected environment, identify and respond any threats detected.\nRecently, the National Institute of Standards and Technology (NIST) published (Special Publication) SP800-207, Zero Trust Architecture, which describes in detail the principals, design, and technologies recommended for pursuing Zero Trust.\nZero trust in action\nThe key features of zero trust that extend it beyond these component technologies are that the level of protection is determined by the nature, and value of the asset being protected.\nThere is no one-size-fits-all approach in zero trust. It requires a new mindset, a new approach to IT security: one based on the value of assets to be protected, rather than simply striving to build an impregnable perimeter \u2013 an exercise that, in today\u2019s world, is doomed to failure.\nThe growth of zero trust\nAcceptance and uptake of zero trust is growing rapidly. According to Cybersecurity Insiders\u2019 2019 Zero Trust Adoption Report (published January 2020), 78 percent of IT security teams are looking to embrace zero trust, with more than a third having made measurable progress.\nCybersecurity Insiders also found 47 percent of enterprise IT security teams lack confidence in their ability to provide zero trust with their current security technology.\nIn the UK the National Cyber Security Centre is working on a set of zero trust architecture design principles, available on GitHub. Details of its beta version were announced in a blog post on 29 October.\nZERO TRUST THE RSA WAY\nThere is no all-encompassing zero trust security solution. Zero trust is pursued through applying combinations of technologies, sometimes differently than initially intended at the time of purchase. Two essential elements are sophisticated and robust identity and access management (IAM), and security information and event management (SIEM).\nRSA SecurID Suite is an IAM solution that goes beyond identity verification to determine access based on multiple parameters including the role, history, and behaviour of the user and the business context and risks associated with the assets and resources to which they request access.\nIt enables organisations of all sizes to mitigate identity risk and maintain compliance without impeding user productivity. Its quick configuration options enable access policies to be quickly implemented in response to changing business needs and regulatory requirements\nRSA NetWitness Platform extends the capabilities of security information and event management (SIEM) systems; enabling security teams to rapidly discover compromises, understand their full scope and respond before threats impact the business.\nIt applies advanced technology to detect, prioritise and investigate threats in a fraction of the time of other security products. It exposes the full scope of an attack by connecting incidents over time, prioritising incidents quickly, and delivering deeper insights from both automation and machine learning.\nIT\u2019S TIME FOR ZERO TRUST\nToday\u2019s complex IT environments combined with a rapid increase in the number and sophistication of cyber attacks has created a perfect storm of security challenges that traditional perimeter security is unable to address.\nOne answer, as evidenced by its growing uptake, is zero trust security. However, when developing a zero-trust strategy and selecting the technologies to implement it, organisations should be mindful that not all security technologies meet the requirements necessary for pursuing zero trust.\nTightly integrated IAM is essential for robust zero trust security: to identify the person seeking access, to confirm their rights to the device being used for access, and that both are authorised to access the resource requested.\nRSA has solutions that enable organisations to implement and maintain robust zero trust security. Contact RSA to learn more.