“Zero trust” is certainly a buzzword that gets freely thrown around in cybersecurity. But what does it actually mean?
Also, why is a zero trust security model and architecture being mandated by the government? What should organizations consider to ensure their success?
Let’s start off by agreeing on what zero trust is and is not. It’s not a product or tool — it’s a methodology and model that requires a shift in our approach to cybersecurity controls. The traditional castle and moat approach was based on an environment where users, applications and data were managed within a defined corporate network.
Let’s start off by agreeing on what zero trust is and is not. It’s not a product or tool — it’s a methodology and model that requires a shift in our approach to cybersecurity controls.
With cloud, IoT, BYOD and a mobile and remote workforce, many users, applications and data are now outside the traditional organizational boundary. As such, organizations are recognizing the need to shift their cybersecurity approach to a model that implicitly never trusts and always verifies.
Many organizations are only now beginning to look at zero trust and trying to figure out what it means to them. What’s the impact from a security and productivity perspective? How do we go about implementing this approach? What tools do we need? How will we afford this?
Shifting to a zero trust model is not about replacing the infrastructure wholesale. It’s more of an incremental journey of modernizing the IT and security environment. In a zero trust model, organizations can identify high-value assets and data within the network and ultimately protect this information beyond what traditional cybersecurity methods allowed, no matter where users, apps and data reside.
Maybe just as important is for this approach to enable the business by automating processes so that the security controls are essentially transparent to users. For example, single sign-on (SSO) allows a user to log in once to access all their authorized business applications, reducing friction and improving the user experience.
Transitioning to a zero trust cybersecurity model from the traditional approach requires shifting from a manual, static environment to one that has more automation. It’s a model where processes and systems are more integrated to enable dynamic policy enforcement based on a user’s behavior in real time to determine access.
While mapping out security requirements, it’s important to build in as much automation as possible so that controls are transparent to the end users. For example, a financial customer I spoke with recently said their organization requires a unique login every several hours, as opposed to every time. Their organization determined that was a more acceptable risk to productivity balance. This type of policy can be different for different users based on their roles, locations and the apps and data they’re trying to access. Organizations must weigh these types of considerations and risks when it comes to balancing security and operations.
Shifting to a zero trust model should be a gradual process that involves incremental improvements being made to modernize the IT and security environment. This is important from the implementation and usability perspective, as well as the budget perspective.
Four of the more common use cases we see are:
- Shifting from traditional moat and castle security perimeter controls to security based around identity access management.
- Microsegmenting the network to minimize risk.
- Moving data and apps to the cloud.
- Protecting IoT.
These can’t all be designed and implemented at once, so it’s important to build a strategy and roadmap based on where the organization is today and where it wants to go. Each incremental enhancement should increase the level of protection, detail and complexity for adoption.
Companies should also define their high-value assets to determine which systems and applications really need this enhanced protection. Organizations should build an inventory of what they have in the environment and understand the value of each asset: What does it do for the business? Who needs access to it? What’s the risk impact if it was breached?
From there, organizations need to consider not only modernizing the technology stack, but also the impact on people and processes. Ensuring greater interoperability and automation between technologies and process flows is important to enable productivity in a secure manner.
Zero trust doesn’t just require a shift in technology, it’s a culture change as well. The traditional security model operated with implicit trust where everything was allowed unless it was known to be bad (the old AV/blacklist model). Zero trust implements a granular least privilege per request access, where only those specified as requiring access get access.
Organizations should educate their employees on why the shift to zero trust is needed and explain how it can help them be more productive. At the end of the day, employees are focused more on doing their jobs than on prioritizing security. This is why it’s critical to educate them on how to use these new tools and process improvements from the perspective of helping them be more efficient in their jobs.
This culture shift cuts across the entire organization. The CIO or CISO must work with and gain input and buy-in from Infosec, IT, HR, R&D, legal, delivery, customer support, etc. to understand the needs of and impact on each department. This strategy and feedback loop must consist of a cross-section of different roles to understand the impact to users, the process flows and to ensure all aspects are considered both from a security and an operational perspective.
Zero trust provides a model for modernizing your environment, and this approach should be adopted incrementally. This crawl, walk, run approach should begin by mapping out the high-value assets, the greatest risks and understanding the impact to employees from different departments.
Employing a strategy that pulls in stakeholders from across the organization and focuses on how to automate processes, increases interoperability across different devices and systems, and provides centralized visibility will put an organization on a path to zero trust success.