Zero trust model key to security success, says Forrester

The principles of network confidentiality, integrity and availability are not balanced, says John Kindervag, principal analyst at Forrester Research

In most companies, the principles of network confidentiality, integrity and availability are not balanced at all, says John Kindervag, principal analyst at Forrester Research.

“Availability is almost always more important than the other two because that is what service-level agreements (SLAs) are built on,” he told Forrester’s forum for risk and security professionals in London.

“What is worse, ‘confidentiality’ more often than not becomes ‘compromise’ and in many cases businesses are not even aware,” Kindervag said.

Studies have shown that between 66% and 90% of data breaches are identified not by organisations that are breached, but by third-party organisations.

A related problem, said Kindervag, is that availability is often mistaken for security. “Because there is good network availability, businesses assume there can be no compromised to security,” he said.

The disconnect between the security and network operations teams is at the heart of the problem, said Kindervag, because their incentives are not aligned.

“But the world has changed and we cannot carry on doing things the way we did in the 70s and 80s,” he said.

Kindervag said the most important thing that organisations need to understand is that the focus should no longer be on the network but on the data, and on how to deliver the right data to the right person on the right device in a secure way.

A new “zero trust model” is the key to security success, according to Kindervag because it identifies that the fundamental problem with the old way of doing network security is treating anything outside the network as “untrusted” and everything inside the network as “trusted”.

With aging networks due for a refresh, he believes this presents the opportunity to not only redesign networks for today's critical workloads and technology transformations such as virtualisation, but also to take a unified approach to both networking and security.

In a “zero trust” approach, networks are designed to enable segmentation of resources and access monitoring, but to also share functionality and global policies.

“Segmentation is based on how data is being used, which enables the aggregation of similar virtual machines and the ability to secure virtual machines by default,” said Kindervag.

This approach enables organisations to protect certain key data types, but at the same time it is extensible and flexible, while allowing essential controls to built in, he said.

“This approach allows all users to access the network, but not all users to access all data, thus enabling mobility, high availability and the use of cloud infrastructures without compromise to security,” said Kindervag.

Improved communications between the network operations and the security teams is essential for implementing this approach, he said, as is education and training around the concept of zero trust and aligning incentives for all teams involved.

Content Continues Below

Read more on Network security management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

@securasi has implemented a new model that has unbreakable security that is always wrapped around data with it's consumer product , a private, portable, works on any device kind digital safe that seamlessly works with any cloud service such as Dropbox. Our encryption key management algorithm has made the market leading products PGP/Symantec, True Crypt and Bitlocker model obsolete as they are broken by a forensic product elkomsoft recently. Check out

In many of our systems, logging in is no longer an option. You either have an authorized key to get access to the system and the data therein, or you don't. Not sure if this counts as a no trust model, but it's pretty effective so far.