Outside-in vs. inside-out
There are two models of zero trust that are most prevalent today:
- outside in: the BeyondCorp model of applying zero trust to end users and devices
- inside out: applying zero trust to the network and/or the applications and services communicating on the network
As zero trust can be a phased deployment, you can start at either place. A person could easily argue that because the easiest way for attackers to access your network is by stealing a valid user’s identity and using it move through the network, the best place to start is at the endpoint.
However, along with the movement toward zero trust, security professionals have also begun moving security responsibility away from the perimeter and toward the application—because the applications are the jackpots cyber criminals are after. And it makes sense to put the strongest, most reliable security closest to the thing criminals want: data. This inside-out approach is logical for a number of reasons:
- Putting the most hardened controls around the most valuable assets means that even if adversaries are able to penetrate the perimeter or steal user identities, they still can’t access the data. In other words, criminals can get into the locked room but they can’t crack the safe.
- Endpoints are infinite; applications aren’t. While it’s true that the number of applications and services spun up and changed by DevOps teams is increasing all the time, the number of things deployed on the network will never outnumber the users, their various devices, their ever-changing locations, their evolving job responsibilities and resource needs, etc. A user’s “identity,” therefore, must change constantly to accommodate their particular situation whereas an application’s identity remains relatively constant in comparison. As such, controlling applications is exponentially less complex than controlling users.
Trying to decide “Where do I begin” simply boils down to the fact that everything touches the data. With data at the heart of business operations, it ‘s most effective, therefore, to control access to and from the data—from the inside-out—first.
Implementing zero trust is almost always going to be a phased deployment, so choosing between inside-out and outside-in should be based on your business use case. However, as you decide where to apply zero trust first, remember that the endpoint is only the first step in every attack scenario. By placing zero trust controls directly around your key assets, you know that whoever or whatever gets onto your network, they won’t be able to pass the verification process and your data will remain secure.