A recent study by CyberRisk Alliance revealed some surprising statistics about zero-trust security. Although the term dates back nearly 30 years, only 35% of the security leaders polled were very familiar with the practice. And despite the rash of security incidents in recent years, the same percentage were highly confident in their zero-trust capabilities.
There’s a disconnect. From our experience, while interest in zero trust is growing, many security leaders appear to be confused about how to properly implement it. Too many believe it can be solved simply by plugging in a new product or by upgrading old ones. What’s actually needed is a better understanding of what zero-trust security is: how it incorporates a blend of products, processes, and people to protect mission-critical corporate assets.
The concept of zero trust is simple: “never trust, always verify.” It may seem harsh to users who have grown accustomed to smooth and easy access to information, but it’s a sound policy. We prefer to use the phrase “mutually suspicious,” which is similar. It means, in effect, “Here’s who I am; you prove to me who you are.”
To a certain extent, the practice — as well as the term — is old, dating back to minicomputers and mainframes. It’s all about requiring good digital hygiene. What has changed is that our environment has shifted and expanded. Now, with cloud, edge devices, and data centres opening up more endpoints to attack, organisations have to rely on more than firewalls to keep intruders out.
Organisations need to align their processes, people, and products to achieve true zero trust.
Products are a straightforward step. Essentially, what’s needed is a full line of security technologies that verify identity, location, and device health. The objective is to minimise the blast radius and limit segment access. While there is no single product or platform that accomplishes all these goals, a successful zero trust programme will incorporate elements of identity management, multi-factor authentication, and least-privileged access.
Zero-trust technologies are available to cover all attack surfaces and protect organisations, but they mean nothing without the people using them. Therefore, aligning company success and security with employee success and security is critical. This means prioritising a culture of transparency, open communication, trust in the process, and faith in each other’s ability to do good.
To successfully implement zero-trust technology into a corporate culture, organisations need to involve employees in the process. Don’t just roll out a top-down mandate and expect it to click. Alert employees about what’s going on, what the process of zero trust entails, how it impacts and benefits them as well as the company, what to watch out for, and how they can support the zero-trust process.
By engaging employees and challenging them to embrace a healthy dose of scepticism towards potential threats, employers are planting the seeds of security across their organisational skeleton. Once employees understand what’s going on and the value of zero trust, they too begin to feel trusted and are empowered to be part of the broader cybersecurity network. This empowers employees to proactively identify insider and outsider threats to the enterprise, covering all surfaces and fostering good security hygiene.
Zero-trust security requires a significant rework in overall organisational processes.
One of the most important moves they can make is to define and assess every aspect of their data security environment. This includes identifying where all of the organisation’s unstructured data is stored, what business purposes specific data stores serve, who has access to it, and what kind of security controls are already in place. A thorough permissions assessment will help guide the development of a comprehensive access management policy. Some assets will require zero-trust protection; others won’t. All devices that connect to a network will need to be accounted for so they can fend against outside phishing attacks.
One key tech mechanism that can help organisations in a zero-trust world is immutability – creating data copies that can’t be modified or deleted. This ensures organisations don’t lose data or allow it to end up in the wrong hands.
An overlooked practice is to define a common zero-trust framework for the whole organisation. It does no good to have teams having to interpret confusing sets of conventions or reinvent what “zero trust” means on a project-by-project basis.
Lastly, and perhaps most importantly, there is a need to reassess and revise their zero-trust processes. It’s like going to the gym: Exercise becomes a way of life, and active people tweak their workout routines all the time. The same goes for security. Zero trust is a continuum. You’re never done.
Threatscapes will continue to evolve over time. Organisations taking a zero-trust approach will need to continue to develop a comprehensive plan — and then continually revise their technologies, processes, and people practices to meet their future needs.