Zero Trust is a security framework that requires all network users, internal and external, to be authorized, authenticated, and continuously validated for their security configuration and posture before being granted access to applications and data.
The Zero Trust model is a "principle of least privilege" that's applied to network connectivity. "It assumes that assets and users will interact in hostile environments which, by their very nature, cannot be trusted," explains Bryan Fite, CISO at BT Americas. "Therefore, controls must be leveraged to offset this lack of trust."
Zero Trust provides organizations with a multi-layered approach to securing their environment, says Steve Ryan, a senior consultant at BARR Advisory. "Through network segmentation, granular user-access controls, and continuous monitoring, organizations that implement a Zero Trust model are able to mitigate the risks of a security breach by minimizing the areas of their environment vulnerable to an attack." Even if an attacker manages to gain entry, a Zero Trust model requires re-validation at every entry point in the network, he adds.
Whether an organization is a primary target, a victim of multi-target assault, or collateral damage, it's vulnerable to attack if it uses the public, unsecured Internet. "Fortunately, its ability to operate, be resilient, and thrive can be quantifiably improved by adopting Zero Trust principles and controls," Fite says.
Zero Trust provides a model that creates appropriate risk coverage for all technology layers, says Nick Puetz, a managing director at global consulting firm Protiviti. "As adversarial attack complexity increases, and available skilled resources continue to lag, automation and orchestration are going to play a key role in scaling cyber operations," he notes. "Modern technology requires modern frameworks and capabilities to address risks. Zero Trust is one example of modern risk mitigation."
Planning and execution
Organizations should begin their Zero Trust journey by defining a cyber capabilities architecture. "Don’t start with a specific technology in mind," Puetz cautions. "Instead, enumerate the capabilities you want to enable through technology."
Take stock of the technologies that are already in place, Puetz suggests. Most modern network technologies can easily integrate with or already include Zero Trust functionality. "Start small, get some quick wins, prove out the model–crawl, walk, run," he advises.
Deciding what to deploy and where becomes the guidebook for your Zero Trust journey, says Scott Riccon, principal consultant, cybersecurity with global technology research and advisory firm ISG. "Organizations that don't spend the time up front to establish a shared vision will rapidly find numerous Zero Trust projects sponsored by different teams within the organization." Such initiatives will eventually get to a level of Zero Trust, but only with duplicative capabilities, longer project times, and additional costs, he notes.
When embarking on their Zero Trust journey, network leaders need to remember that any areas left undone can easily turn into exploitable gaps and seams. Don't get lulled into a false sense of security. "You are reducing the threat surface, not eliminating it," Riccon warns.
Nearly all network owners already possess some or all of the building blocks needed to begin their Zero Trust journey. "Organizations can accelerate their journey by getting more value out of their existing estate," Fite says. "Moreover, by integrating, optimizing, and automating existing controls, organizations can gain the confidence and credibility needed to properly transform and thrive in the Internet of Dangerous Things."
A new philosophy
Zero Trust is not a technology you can buy or a person you can hire. "It's a holistic philosophy that could take years to fully realize, and many companies will not fully realize Zero Trust nirvana," Puetz says. "Treat this as a journey, not a specific destination, and your expectations will be well aligned."
Don’t let Zero Trust's new approach keep you from exploring it, Riccon says. "Change can be good," he notes. "We are evolving from the blocking and tackling fundamentals of cybersecurity to the more advanced plays that allow us to move the ball farther and faster down the field."
"Every organization’s Zero Trust journey will be different," Fite concludes.
Building a Five-Step Zero Trust Strategy
Joe McMann, global cybersecurity portfolio lead at business advisory firm Capgemini, offers the following five steps for building a Zero Trust network security strategy.
1. Define the Attack Surface. If you don’t fully understand what you have in terms of network resources and how everything is interconnected, you won't be able to devise an appropriate protection strategy.
2. Devise a Network Segmentation Plan. Include key business functions and required network traffic. Look to isolate functions that need to be protected and eliminate lateral movement if compromised.
3. Establish Firm Policies. Implement access control policies to better manage access to each new network segment.
4. Create Strong Zero Trust Control Practices. These practices should become an integral part of the security playbook that's used to help network team members fully understand the Zero Trust architecture and how it works.
5. Build a Managed Detection and Response Strategy. Zero Trust is an important concept that should be built into all existing network architectures. But don't forget that a managed detection and response strategy is still necessary to prevent attacks, as well as to respond to network breaches.