What is Zero Trust? A Security Model for Success

The role of information Technology (IT) is to support an organization’s business needs. As the Information Technology landscape evolves and expands, it is becoming challenging for cybersecurity professionals to defend and protect the growing landscape from cyber attacks. Cybersecurity leaders are shifting to Zero Trust to help defend against new threats and vulnerabilities. Zero Trust is a reasonably new paradigm for many organizations, so cybersecurity professionals are ramping up on what it means, learning how to address the related issues, and beginning Zero Trust Architecture’s journey.

The IT landscape is increasingly more complex and diverse.

Today’s IT landscape is driven by a very interconnected world with a wide range of diverse users, devices, and systems, connecting across the internet and networks to access other globally distributed systems, applications, and data. With the emergence and the rapid adoption of cloud and hybrid multi-cloud environments, critical business data has become widely dispersed, stored, and accessed across many different IT environments. Cybersecurity professionals must develop a robust data security strategy, combined with ensuring secure digital transformation and the escalating and associated cyber threats and attacks.

What are the challenges and the increasing security complexity?

Today’s traditional security architecture is trailing behind as more organizations adopt multi-cloud hybrid environments and complex IT environments. As a result, the conventional cybersecurity network defenses are becoming more exposed to cyber-attacks. Threat actors have become more tenacious, sneakier, and more elusive with their cyber attacks. With organizations accelerating their digital transformation strategies, the traditional network perimeter has expanded and progressed from a defined border (centralized data) to multiple edges (distributed data) to perimeter-less boundaries (data everywhere). So now, cybersecurity professionals have to defend against increasing various attack surfaces and threat vectors with a perimeter-less fragmented security posture.

What is Zero Trust?

Let’s begin with defining what it is not. It’s not a software product, hardware appliance solution, or a limited set of managed services. Zero Trust is what it sounds like, don’t trust anyone, anything, at any time, from anywhere without verification. Zero Trust is essentially a security model, a set of architectural design principles, and an organized risk management strategy that eliminates implicit trust for anything (e.g., users, nodes, services). It’s a data-centric security model that uses the “Least Privileged” security principle applied to every access decision under the right conditions. Think of it as a “never trust, always verify” mindset, and assuming that your organization is compromised or all indicators seem like a security breach will be happening soon. Its primary focus is to protect sensitive data with very restrictive access controls. As a reminder, the data is what the bad guys are after!

How does Zero Trust address the increasing security complexity?

Yes, Zero Trust seems sort of a radical approach for cybersecurity professionals; however, several highly publicized system breaches (e.g., Solar Winds) have exposed widespread vulnerabilities in systems, as well as deficiencies in system management and defense network operations. The long-term impact is unknown, and a comprehensive security approach to address threats, vulnerabilities, and risks has increased security awareness.

With a Zerto Trust risk management strategy and corresponding security architecture, it requires no implicit trust granted for all identities, devices, systems, and services based on their location (e.g., a local area network or the Internet). It requires continuous verification upon every access decision, allowing or denying access to all resources based on a combination of several contextual factors before an established connection.

How do you implement Zero Trust Architecture (ZTA)?

• Organizations MUST identify the right Zero Trust strategy for their ecosystem.
• It can be done in several ways using a Zero Trust Framework (e.g., NIST SP 800-207, Gartner’s CARTA, Google BeyondCorp, or the NSA guide)
• Implement security tools that integrate visibility & analytics, risk-based access decisions, and automation and orchestration capabilities
• It’s re-engineering an existing security architecture based on this security model; it’s a strategic attempt that will take time to achieve full benefits.
• It’s not a tactical mitigation response to new opposition tools, schemes, and approaches.
• Zero Trust repeatedly questions the premise that users, devices, and network components should be implicit.
• Overall, it’s a risk management approach that embraces governance for administrative, physical, and technical controls. 

A Zero Trust strategy will provide an opportunity for organizations to be better prepared to react effectively to increasingly sophisticated threats. Security leaders must understand that implementing a Zero Trust architecture is a journey; there are no shortcuts about it, but it will take a holistic risk management approach to become effective. It’s an enormous task but achievable. I recommend that organizations start small with a focus area and begin accelerating the implementation after the initial start.

Ervin Daniels

Cybersecurity Architect with over 25 years of Technology and Security leadership and hands-on experience across various industries (retail, public, financial services, and technology).