ZERO TRUST: HYPE OR HOPE?

During these times, the term Zero Trust has exploded. The Zero Trust term has become misunderstood, and it’s becoming a bunch of hype to a lot of businesses, and they think it’s just a buzzword that adds much confusion to its definition. However, the term has been around for years, but now the acceleration of its adoption is becoming more realistic. Still, there are several interpretations in the security industry, and every security vendor claims to have the silver bullet of how they can help. So, what does it mean to have Zero Trust? Let’s begin with what Zero Trust is not, shall we? Zero Trust is not a piece of software (e.g., SaaS or on-premises), a single vendor solution, or a set of integrated technologies. It’s not a single point in time architecture.

Zero Trust is a security model. It’s the notion don’t trust anyone, anything, from anywhere, at any time without verification. Zero Trust is an organization’s approach to security. It’s looking at Cybersecurity holistically when implementing security architecture for people, processes, and technology. It’s a paradigm shift in the way Cybersecurity is implemented and maintained. 

The Zero Trust model has core guiding principles. The model implements the least privilege principle that limits users’ access rights to only what is required to do their jobs. The model assumes breach; it assumes an attacker is present in the environment moving laterally in your network. The model is never to trust – always verify. It removes implicit trust granted to systems solely based on their physical or network location (e.g., local area network vs. internet). The model continually analyzes risk and authenticates and authorizes each entity’s (both user and devices) access requests’ identity and security posture before a connection is established to its assets and business functions. The model moves network defenses from wide network perimeters to narrowly focusing on individual or small groups of resources. This includes removing the sole dependency on wide-area perimeter defenses (e.g., firewalls, intrusion protection systems, etc.). 

Businesses are rapidly achieving successful digital transformation. Businesses need a robust security posture to match the rapid growth of cloud adoption, the increasing IT complexity, and the modernization of legacy systems. Ransomware and other sophisticated attacks are costing businesses billions. As a result, companies need to adopt a new security model to protect against the growing number of unknown risks, threats, and vulnerabilities.

The traditional cybersecurity model needs to catch up. Enterprise’s infrastructure has grown increasingly complex. The “castle-and-moat” network security model is no longer practical to protect against these evolving threats. The attack surface has widened due to adopting several internal networks, remote offices with their own infrastructure, remote workforce, mobile workforce, office workforce, and leveraging cloud services. There is no longer a traditional network perimeter. The network perimeter has expanded from a defined border to multiple edges or perimeter-less boundaries. So, now, cybersecurity professionals must defend against increasing attacks and threats with the new perimeter-less security posture.

Yes, but it’s a journey. Where you start depends on where you are now and where you want to end up. Many organizations already have elements of zero trust in their infrastructure today. It begins with your organization’s willingness to perform a risk analysis. The outcome of the risk analysis will provide a roadmap. That said, organizations should seek to implement zero trust principles, process changes incrementally, and technology solutions that protect their data assets & business functions by developing use cases. Most enterprise infrastructures will operate in a Hybrid Zero Trust/perimeter-based mode while continuing to invest in IT modernization initiatives and improve organization business processes.

Zero Trust is hope and not hype. Many businesses in the private and public sectors or taking it seriously and have begun their journey. In fact, The White House administration has a federal mandate to implement a zero-trust strategy for the U.S. Federal Government. I’ll ask these questions. What does Zero Trust adoption look like in your respective environments? How have you started to define the scope? Suppose Zero Trust is part of your security strategy, and you have the appropriate use cases for your business and develop a Zero Trust Architecture that supports your strategy. In that case, it can effectively reduce risk to your organization.