A cybersecurity expert explains why it’s time to get serious about Zero Trust
From keynote presentations at the cybersecurity industry’s biggest events to everyday news headlines, everyone appears to be talking about Zero Trust. The Biden administration has now even mandated it for government agencies. Countless security vendors put it in their marketing materials, but what is it, how did we get to this point, and how do organizations and now federal agencies put it into practice?
Fundamentally, Zero Trust is a strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating every stage of a digital interaction. We find implicit trust in many places within the IT infrastructure, such as trusting users sitting at headquarters differently than those working remotely from their home. Imagine if airports only checked your identity when you passed through the initial security checkpoint. Theoretically, once you’re in the concourse, you’d be free to bypass your intended flight and board any flight around the world. Zero Trust is the opposite: It implements continuous verification, no matter the user. Your ID is checked at the security checkpoint, then your boarding pass gets checked at the gate, and finally the flight attendant ensures you’re sitting in the correctly assigned seat. No one is trusted, even after they pass an initial security screening.
The past two years have greatly accelerated the move to hybrid work, leading many security teams to start the process of overhauling their security approach for remote users. Yet this approach needs to be expanded across the entire infrastructure, including major digital transformation initiatives such as the move to the cloud, which has significantly increased a company’s potential attack surface. The 2020 SolarWinds attack showed everyone just how dangerous a world without Zero Trust can be: Thousands of organizations found themselves compromised. It’s time for organizations to get serious about Zero Trust as a holistic strategy to ensure they’re protecting what matters most.
One misconception that seems to persist is that Zero Trust is a product you can buy. Unfortunately, buying any single security product doesn’t inherently make any organization “Zero Trust.” As cyberattacks continue to escalate, security professionals feel forced to deploy a ballooning set of different tools–in fact, most organizations I speak with today use 50+ different technologies within their digital environment. This game of security “Whac-A-Mole,” where a new tool is procured and deployed with every new threat, has created a tremendous amount of complexity, strained security teams, and hurt overall levels of security. The combination of accelerating digital transformation, evolving threats, and overwhelming levels of security complexity have made a comprehensive Zero Trust approach an absolute necessity. Analyst firm Gartner agrees, predicting 60% of organizations will embrace Zero Trust as a starting point for security by 2025.
A Zero Trust approach, when done correctly, presents an opportunity to rebuild security in a way that fits these significant changes and covers key areas like users, applications, and infrastructure with ideas such as least-privileged access, continuous trust verification, and continuous security inspection–as well as protection of all data and security for all applications.
Once Zero Trust controls and best practices are put in place, the security operations center also plays a critical role in the continuous validation of those policies. It does so by constantly monitoring and leveraging advanced techniques, such as behavioral analytics and AI, to identify gaps and security issues impossible to detect with an individual analyst or tool. Finally, Zero Trust enables companies to simplify by consolidating individual tools, streamlining policies and finding ways to automate and orchestrate.
As companies and now government agencies begin implementing Zero Trust architectures, to ensure success, any Zero Trust initiative should be proposed, presented, and approved at the very highest levels of an organization, including executive stakeholders, practitioners, and the board. This approach is what we refer to as becoming a true “Zero Trust Enterprise” and avoids the pitfalls of highly siloed, individual technology initiatives. As CTO of an organization that implemented this exact approach internally several years ago, I have witnessed firsthand the benefits of approaching Zero Trust in a holistic way–namely, higher overall levels of security and operational efficiencies.