What CISOs Should Understand About the Zero Trust Security Model

The way forward for enterprises in the new era of work is to implement a zero trust security model to enhance the organizational cybersecurity posture.

Michael Gray

February 10, 2023

5 Min Read
What CISOs Should Understand About the Zero Trust Security Model
(Source: Pixabay)

CISOs and CTOs have a more complicated job amid COVID-19 as McKinsey research reported that 58% of employees in the United States, which is around 92 million people, are currently working remotely at least part of the time. On top of the rise of remote work, bring-your-own-device (BYOD) policies, and employers giving employees more flexibility insofar as where, when, and how the work gets done, the modern workforce is always on the move, bringing new dangerous and advanced cybersecurity risks to organizations.

CISOs understand that intellectual property, customer data, and other valuable information should be protected while avoiding business system downtime and protecting key applications. It’s the juggling act of needing to protect everything without getting in the way of day-to-day employee responsibilities.

A traditional cybersecurity approach for organizations assumes that any user, device, or infrastructure that falls under the umbrella of the corporate network is automatically considered trustworthy. This approach is no longer the case (just need one common example). Applications have come out from behind the firewall, and end users can access sensitive data and information from a personal device through their own personal network from home.

A conventional security approach for organizations is a perimeter-based model, where the IT team creates a network security perimeter where important assets are protected, and hackers will have a hard time accessing the applications or data. However, this approach also presents some issues as it requires trust that the security perimeter is actually secure, including all the end users involved. This approach also assumes a centralized on-premises network that is not based on Cloud architecture or digital workspace that may also include SaaS applications and programs.

Traditional security approaches have evolved, and the Zero Trust Security Model was meant for this moment - regardless of size and scope - to support remote and hybrid work environments and minimize cybersecurity risks by limiting the exposure to fast-moving attacks and 0-day threats that can evade traditional security approaches. In essence, zero trust is a security model that does not permit access to, for example, IP addresses until the user is authorized. While the idea of zero trust architecture has been present in our lives for over a decade, the recent changes in how and where people work has increased the importance of the zero trust model.

According to a recent global survey, 41 percent of respondents have reported plans to adopt a zero trust strategy and are already in the early stages of enacting this model. In the same survey, generally, 80 percent of respondents have plans of adopting zero trust in the future or have already adopted it. Organizations are already starting to understand the utmost importance of keeping secure data by moving towards zero trust, especially as more employees are working remotely in response to the pandemic.

Summarized as "never trust, always verify," zero trust requires any user or IT resource to be properly verified prior to authentication to prevent unauthorized users or malicious actors from reaching the environment. Adoption can protect against top security issues – such as phishing attacks, malware, and data theft – by protecting users, their devices, and the applications they have access to. When zero trust is in place within the organizations, CISOs should adhere to the following principles:

  • All networks involved should automatically be treated as untrusted with no expectations. Once the networks are considered untrusted, then the users should be considered untrusted as well.

  • The end users should only have enough access to do their job tasks when necessary. User access should be removed immediately when it’s no longer required after the job is completed for the day.

  • A verification method such as Multi-Factor Authentication (MFA) will only provide access to those who can verify their credentials beyond just a username and password, such as providing a unique code via mobile devices. This can ensure the end users are who they say they are when granting access.

  • For personal or work devices, access should only be granted to trusted devices, be it a mobile phone, laptop, desktop, or tablet. To ensure no risk is involved to the network, these personal devices must be checked at every access point.

  • Access policies must be in action across the organization, especially for the Cloud, various applications, and the need to support in-house on physical infrastructure. These policies should include user identification, geolocation, and the specific work or personal device in use. This ensures that access is only granted to those who need it.

It should be important to note that work environments are integrating on-premise with multi-Cloud infrastructures and SaaS applications that can leave multiple entry points open for cyber intruders to move seamlessly and easily within a network. This leaves users more susceptible than ever to malware and different forms of phishing attacks and malware, which all organizations need to be cognizant about. The way forward for C-level buyers to the new era of work is by implementing a zero trust security model to enhance the organizational cybersecurity posture.

Michael Gray is the CTO of Thrive.

Related articles:

About the Author(s)

Michael Gray

Michael Gray is the CTO of Thrive. He has been a strong technology leader at Thrive over the past decade, contributing to the consulting, network engineering, managed services, and product development groups while continually being promoted up the ladder. Michael's technology career began at Dove Consulting and later Praecis, a biotechnology startup that was acquired by a top-five pharmaceutical firm in 2007. Serving in his current role, he is now responsible for Thrive’s R&D, and technology road-mapping vision, while also heading the security and application development practices. He is a member of several partner advisory councils and participates in many local and national technology events. Michael has a degree in Business Administration from Northeastern University, and he also maintains multiple technical certifications, including Fortinet, Sonicwall, Microsoft, ITIL, and Kaseya, and he maintains his Certified Information Systems Security Professional (CISSP).

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights