What Executives Should Know About Zero Trust
What Does “Zero Trust” Really Mean?
Invented in 2010 by Forrester Research, Zero Trust is a cybersecurity model enterprises can leverage to remove risky, implicitly trusted interactions between users, machines and data. The Zero Trust model provides a process for organizations to protect themselves from threats no matter what vector the threat originates from—whether from across the world or from Sandy down the hall. The three main principles to follow to realize the benefits of this model were:
- Ensure that all resources are accessed securely, regardless of location.
- Adopt a least-privileged strategy and strictly enforce access control.
- Inspect and log all traffic.
After 11 years, these ideas and principles have matured in the face of growing digital transformation, remote work, and bring-your-own-device proliferation. New principles have developed in light of the U.S. Federal Government mandating Zero Trust, codified in the NIST 800-207 with further details in the NCCoE’s Zero Trust Architecture. Those principles are:
- Shift from network segmentation to protecting resources such as assets, services, workflows, and network accounts.
- Make authentication and authorization (both subject/user and device) discrete functions performed on every session, using strong authentication.
- Ensure continuous monitoring.
Why Is This Important in Cybersecurity?
The move toward Zero Trust has been one of the more significant shifts in how business approaches security. Before adopting a Zero Trust mindset, most companies tried to manage security as a gated function. Once a transaction was validated in the gated area, it was innately trusted.
This approach presents a problem because threat vectors do not always originate outside that area. Also, the world at large continues to adopt digital transformation and hybrid workforces, nullifying the concept of resources only existing behind a gate. Zero Trust methods require validating each element of every interaction continually—no matter where they occur—including all users, machines, applications, and data. There is no area of implicit trust.
What Is the Spin Around This Buzzword?
Many vendors today productize Zero Trust, naming their products as “Zero Trust solutions” in and of themselves, rather than acknowledging that Zero Trust is a model and strategic framework, not a product solution. When looking at the cybersecurity market, you’ll see vendors try to claim a supposed title is “THE Zero Trust player.”
On closer inspection, however, those vendors typically only address a single principle of Zero Trust. For example, creating tunneling services between users and applications. This aligns with the second original principle: adopt a least-privileged strategy and strictly enforce access control. However, that same vendor might fail on the first principle: ensure that all resources are accessed securely, regardless of location. When they implicitly trust that the user is not a threat vector, they do not scan for malware or exploits inside the tunnel.
Others may cover only some of the aspects of the first original principle, like trying to claim identity and authorization checks are what make Zero Trust. Vendors may also suggest that only web-based traffic needs to be scanned. However, when only partial coverage of the model is implemented, companies risk creating an implicit trust that opens them up to vulnerabilities that would be otherwise covered in the remaining principles.
Our Advice: What Should Executives Consider When Adopting Zero Trust?
The first step is to reframe your thinking on how enterprises should be secured, moving from a gated approach to one that continuously validates all interactions. To help make that shift:
- Define the resources your company needs to protect, where they exist, and what interactions should be flowing around, into, and through them
- Remember users, applications, and infrastructure/devices must all be covered for every interaction they create.
- Understand that interactions consist of identity, access, device/workload, and transactions
Next, enact changes with a plan, beginning with your enterprise’s most critical users, assets, and interactions. Those will be your crown jewels and things that may be related to finance or intellectual property. Then, over time, expand your purview to include all interactions. The plan should cover how the users, applications, and infrastructure go through each of the four parts of an interaction when requesting a resource.
The final step in this transformation is really a recurring event: maintaining and monitoring.
- Leverage continuous monitoring to account for everything happening versus intermittent checks.
- Look for ways to improve the current model as standards continue to evolve while covering more and more interactions.
Questions to Ask Your Team to Successfully Adopt Zero Trust
- What are our system-critical datasets, applications, and functionalities?
- How can we secure each of the four parts of every interaction to these resources, no matter who or what is requesting them?
- What is our plan to continuously monitor important events like logs to facilitate baselines and detect anomalous behavior?
- What is our strategy for selecting vendors that will assist us with our Zero Trust goals, and what more will we need to do that products cannot cover?
- What is the strategy for going from covering one resource to fully covering all resources, and what sort of scalability of products and people will we need to do this?