Everything you need to know about zero trust video meetings
Learn how the zero trust framework shapes the future of data security in video conferencing and how to optimize your zero trust architecture with Pexip.
Read now:
We've all heard the buzz around the virtual water cooler that zero trust architectures are the next big thing in network security, but what do we know about them? And, perhaps more relevant to our discussion today, why should you care?
This white paper examines how and why zero trust defines a data-centric security model and what that means in a real-time production environment. We build on that conversation to take a deeper look at how Pexip's video conferencing platform integrates with your existing zero trust strategy and can even give you some new zero trust concept ideas to consider.
Written by: Kevin Davis, Principal Consultant Advantage Engineering at ZTX-S and Joel Bilheimer, Strategic Account Architect at Pexip.
What is zero trust?
The biggest challenge in implementing zero-trust is agreeing on what it encompasses. The easiest way to answer this question is to describe what zero-trust is not. Then, we can discern what it is and, potentially, what it can be.
At its core, zero-trust is a cybersecurity framework that upends the assumptions behind traditional data security and lets you see where those assumptions lead you.
The tradition of perimeter-centric security
Traditional security is based on the notion that "they" are "out there" and "we" need to protect ourselves and our data "in here."
As a result, cybersecurity has historically focused extensively on defining and defending the perimeter, by which we mean the boundary between the known and the unknown, or that which is "trusted" and that which is "untrusted."
Critically, as we shall see, this is illusory, as the notion of "trust" is a human concept, not one that has a place in enterprise information security. Even the naming of networks (e.g., firewalls, demilitarized zones, gateways, gatekeepers) implies that there is a right side and wrong side of the network boundary, with our precious systems and data surrounded by barriers that keep it all safe.
There are two main problems with the traditional perimeter-centric network approach from a security perspective.
First, suppose we focus all our resources on establishing external barriers while ignoring similar protections internally. In that case, it only takes one crack in the dyke for our data protection level to break.
Second, it turns out that blithely ignoring half of each public network transaction – for example, assuming all outbound traffic is valid – essentially guarantees that when (not if) your system is breached, the bad guys will have free reign to do whatever they want, in many cases, without you even knowing that they're doing it. Phishing is one example of an "insider threat" that has proven extremely difficult to combat under traditional network security concepts.
Cybersecurity architects have committed two cardinal sins by focusing so much energy on hardening the perimeter over the years.
For one, we haven't achieved the core objective of protecting our data's confidentiality, integrity, and availability (the "C-I-A Triad").
If we had, "data breach" wouldn't be a household term, and there would be no need for zero trust. Additionally, this approach has made legitimate cross-boundary uses much harder to implement, especially for video collaboration traffic.
Video architects and engineers have endured this environment for decades, and we have all experienced its negative operational impacts. Up until now, however, we have all been led to believe that perimeter data restrictions are necessary structural limitations in service of the greater good of protecting the network.
It is a fundamentally false assumption.
It's okay. We can fix it.
Time to upgrade for data-centric security
In contrast to the perimeter-centric threat model, zero trust architecture focuses on the inherent qualities of data. It's not the case that zero trust ignores the perimeter, but in a world where your data can be anywhere at any time, zonal trust is an outdated concept.
If you are defending the perimeter, you must be right all the time, every time – but the attackers have to be right only once. Furthermore, the main attack threats are inside your organization, which you can't defend under perimeter-centric security. Those are long odds on which to build your entire network security plan.
Zero trust holds two fundamental principles that disregard outdated network security norms and prove extremely powerful.
First, zero trust assumes, point blank, that the bad guys are already in your network.
You might think your network security is good enough and that only the government and healthcare care about that stuff anyway. Maybe you like to argue that you are too small for hackers to care about your network.
However, experience shows network security is usually much lower than you think. That false sense of security has allowed nation-state attacks such as Stuxnet and more commonly accessible tools such as Mirai to be wildly successful.
Secondly, zero trust also recognizes that the impact of a breach is not about how the bad guys got in but what data they were able to see and export while they were there.
In essence, it doesn't matter if someone can penetrate your system because the only thing that matters is whether they can impact your data's confidentiality, integrity, and availability.
Zero trust creates structures and policies that prevent infiltration (which, again, we assume has already happened) from becoming exfiltration.
By deploying a deny-any policy (meaning that, by default, no traffic or data is permitted to flow in any direction on any segment) and only then identifying specifically authorized data actions, zero trust ensures that only approved and authorized traffic ever moves through an organization's networks, either internally or across a boundary.
From this perspective, it doesn't matter if a microphone array or VoIP system gets hacked, for example, as long as the audiovisual data provided can only ever travel to those internal destinations you approve.
Ultimately, you can and will live with inbound breaches under zero trust because they will not impact your operations.
How does zero trust work?
The first building block of zero trust is known as micro-segmentation. Traditional security assumes all traffic is valid within a network segment. It focuses on authorizing or restricting which segments can communicate with others.
Micro-segmentation implements a more...
Joel Bilheimer, Pexip
Strategic Account Architect
Kevin Davis, ZTX-S
Want to continue reading?
Get answers about:
- How zero trust works
- Data confidence and dynamic risk assessment
- Next generation data security
Download your free copy of the white paper now!