What’s Zero Trust, and What’s Driving Its Adoption?
Cyber threats have become an increasingly real, dangerous and expensive problem. The Biden Administration announced an executive order that decrees federal agencies and contractors to adopt a “zero trust” approach to cybersecurity.
Zero trust can be defined as a security strategy designed to minimise the lateral movement of cyber attackers through the principle of “verify, but never trust.” In simpler terms, it’s basically a transition from the philosophy of implicit trust (that assumes everything inside the organisation is safe) to a model where the corporate network is considered hostile and proactively verifies the security status of identities, endpoints, networks and other resources based on available security signals and data.
Not long ago, most organisations relied on a castle-and-moat approach for their cybersecurity. What this means is that they built firewalls around their own perimeter and everything within that perimeter was trusted by default. This is because networks, devices, users and data were largely centralised. But with the advent of cloud computing, bring-your-own-device policies and remote working, organisational environments have become distributed and decentralised. This evolution of the network is one of the largest drivers for zero trust adoption.
How Zero Trust Architecture Works
A number of core elements comprise a zero trust architecture, or ZTNA. The first element is identifying the protection surface—things that need to be protected such as data, assets, applications and services.
Next is breaking down these surfaces into smaller security zones known as “micro-segments.” This process helps isolate environments and minimise the overall attack surface. Micro-segments have their own micro-perimeters; that is, dedicated security policies, access permissions and perimeter protection such as firewalls, etc.
The third element is only granting each individual user the privileges that are required for them to perform their job effectively (i.e., context-specific least-privilege access). Every session, device, user and application must pass security checks and authentication procedures to prove that they are authorised to access the required resource.
Common Misconceptions Surrounding Zero Trust
Although there is growing interest surrounding zero-trust, many security teams are struggling to get started. This is because there is a lot of confusion surrounding what zero trust is and isn’t.
One of the biggest misconceptions is that employees seem to think businesses are no longer trusting them. This is a false assumption. Zero trust refers to the technical connections and processes that are happening in the background and has nothing to do with people. Additionally, security teams often think zero trust is something that can be bought off the shelf. This is not true. Zero trust is not a specific tool or a platform; it’s a framework, a mindset and a journey that is different for every single organisation. To learn more about the many misconceptions related to zero trust, you can read one of my previous articles.
Four Principles to Keep In Mind When Implementing Zero Trust
- Define business outcomes
- Design from the inside out
- Outline identity and access requirements
- Inspect network and log traffic
Only 6% of enterprises have fully implemented zero trust, according to Forrester’s recent “Trusting Zero Trust” study (registration required), which surveyed 362 decision-makers who worked in large organisations. However, I believe the framework is definitely slated to become the new normal in enterprise cybersecurity. There’s no denying this venture will pose an uphill climb. Keep these best practices in mind to help guide you along the way.
