Zero trust is a strategy organisations will need to look at implementing in the same way as a transformation project… this is not a journey that IT and information security can do alone.
Paul Holland, ISF Principal Research Analyst
Zero trust is a phrase that gets bandied about all over the place and it now seems that you cannot read an article related to information security without it being mentioned in some form, whether as the answer to all securities woes or the next greatest thing from a vendor. Ransomware seems to be another word we cannot escape, appearing on a daily basis in media headlines. But how do these two topics relate?
Could zero trust be an answer to the problem of ransomware? Read on to find out more.
Zero trust is often touted as the way to fix all of security’s problems. Although this is not 100% accurate, it can help to secure environments against many different types of attacks and do it well. To understand why it is not a complete magic bullet, let’s look at what zero trust really is and isn’t. First, some vendors are of the opinion that they can sell you a zero trust solution but this is not strictly true: there is no one technological solution that can supply you with zero trust. At its heart zero trust is a strategy, based upon architectural concepts that take multiple security tools and combine them to create an environment that never trusts but always verifies.
Second, zero trust will not solve all of an organisation’s security problems, rather it is designed to help limit the options for an attacker and minimise the damage caused if there is a breach or incident, such as a ransomware attack that transcends the entire IT environment. This is achieved by limiting lateral movement within an organisation’s infrastructure through a more granular approach to segmentation, which is the primary focus of a zero trust environment. By inhibiting lateral movement, organisations can realise tangible benefits of transforming to a zero trust environment.
A zero trust environment breaks down IT infrastructure into miniature infrastructure segments usually called a protect surface. Each protect surface is secured with technical controls, commensurate with the level of protection required for the resources contained. The segmentation of protect surfaces helps to prevent the spread of a ransomware infection and keep business operations running. Certainly, the news everyone wants to hear. This makes it sound as though zero trust is easy to implement but sadly it is not a quick or simple fix. Zero trust needs to be planned as a long-term strategy to be successful, building upon existing security tools but changing how you implement, architect and use these tools to turn them into a zero trust network architecture (ZTNA).
To implement a ZTNA effectively, an organisation’s infrastructure and corresponding data, applications, assets and services (DAAS) resources all need to be understood. Creating and maintaining a comprehensive content management database (CMDB) is a good way to achieve this. The next step is to understand the criticality of each resource (i.e. the crown jewels) in order to put in place a ZT transformation programme. This will offer the most secure options for the most vital resources in an organisation.
As zero trust is a strategy, organisations will need to look at implementing it in the same way as a transformation project. It therefore needs to be delivered in conjunction with the business – this is not a journey that IT and information security can do alone. It is a long journey, that needs careful thought, planning and business buy-in; otherwise a zero trust journey will fail and potentially leave the organisation in a worse position than before they started. Get the journey right though and the business will be reassured that the organisation is adequately protected against many threats including ransomware, allowing for a quick response to a fast moving problem.