Zero Trust: Past, Present and a Call to Action for the Future
A recent study by CyberRisk Alliance revealed some surprising statistics about zero trust security. Although the term dates back nearly 30 years, only 35% of the security leaders polled were very familiar with the practice. And despite the rash of security incidents in recent years, the same percentage were highly confident in their zero trust capabilities.
There’s a disconnect. From our experience, while interest in zero trust is growing, many security leaders appear to be confused about how to properly implement it.
Too many believe it can be solved simply by plugging in a new product or by upgrading old ones. Instead, they need to better understand what zero trust security is — how it incorporates a blend of products, processes and people to protect mission-critical corporate assets.
The concept of zero trust is simple: “never trust, always verify.” It may seem harsh to users who have grown accustomed to smooth and easy access to information, but it’s sound policy. We prefer to use the phrase “mutually suspicious,” which is similar. It means, in effect, “Here’s who I am; you prove to me who you are.”
To a certain extent, the practice, as well as the term, is old, dating back to minicomputers and mainframes.
It’s all about requiring good digital hygiene. The difference is that our environment has shifted and expanded. Now with cloud, edge devices and data centers opening up more endpoints to attack, organizations have to rely on more than firewalls to keep intruders out.
Organizations need to align their processes and people, along with their products, to achieve true zero trust.
Products are a straightforward step. Essentially, a full line of security technologies that verify identity, location and device health is vital. The objective is to minimize the blast radius and limit segment access.
While there is no single product or platform that accomplishes all these goals, a successful zero trust program will incorporate elements of identity management, multifactor authentication and least-privileged access.
Zero trust technologies are available to cover all attack surfaces and protect organizations, but they mean nothing without the people using them, so aligning company success and security with employee success and security is critical. This means prioritizing a culture of transparency, open communication, trust in the process and faith in each other’s ability to do good.
To successfully implement zero trust technology into a corporate culture, organizations need to involve employees in the process. Don’t just roll out a top-down mandate and expect it to click. Alert employees to what’s going on, what the process of zero trust entails, how it affects and benefits them as well as the company, what to watch out for and how they can support the zero trust process.
By engaging employees and challenging them to embrace a healthy dose of skepticism toward potential threats, employers are planting the seeds of security across their organizational skeleton. Once employees understand what’s going on and the value of zero trust, they too begin to feel trusted and are empowered to be part of the broader cybersecurity network. This empowers employees to proactively identify insider and outsider threats to the enterprise, covering all surfaces and fostering good security hygiene.
Zero trust security requires a significant rework in overall organizational processes.
One of the most important moves they can make is to define and assess every aspect of their data-security environment. This includes identifying where all of the organization’s unstructured data is stored, what business purposes specific data stores serve, who has access to it and what kind of security controls are already in place. A thorough permissions assessment will help guide the development of a comprehensive access-management policy. Some assets will require zero trust protection; others won’t. All devices that connect to a network will need to be accounted for so they can fend against outside phishing attacks.
One key tech mechanism that can help organizations in a zero trust world is immutability — creating data copies that can’t be modified or deleted. This ensures that organizations don’t lose data or allow it to end up in the wrong hands.
An overlooked practice is to define a common zero trust framework for the whole organization. It does no good to have teams having to interpret confusing sets of conventions or reinvent what “zero trust” means on a project-by-project basis.
Last, and perhaps most important, is the need to reassess and revise their zero trust processes. It’s like going to the gym: Exercise becomes a way of life, and active people tweak their workout routines all the time. Same with security. Zero trust is a continuum. You’re never done.
Threatscapes will continue to evolve over time. Organizations taking a zero trust approach will need to continue to develop a comprehensive plan, and then continually revise their technologies, processes and people practices to meet their future needs.