Doubt is the best defense: why you need a zero trust strategy

By 2023 half of IT will be in the cloud, and 75% of organizations will have switched to a ‘cloud first’ strategy. 

With this transformation comes significant benefits, but it also significantly expands the threat vector, which is why zero trust needs to be front and center of your security strategy now.  

With the take-up of multicloud, networks are becoming more complex; thus, the traditional perimeter-based network security approach created around hardened firewalls is crumbling. At the same time, internal and external threats are intensifying by the day.  

Zero trust is a security framework that lends itself to a cloud-centric, digitally connected world. It is built on the principle of maintaining strict controls and trusting no one, not even those sitting inside the network perimeter. It assumes that a breach is inevitable or has already occurred. Users are repeatedly checked alongside devices, services, and network components for access credentials.  

Zero trust is far more than a technology. It is a methodology and requires a complete mindset change. “Leveraging available security capabilities effectively, adhering to privacy and data protection regulations as a general course of operations, and stringently following a governance model that extends to business partners and suppliers will become integral to uplifting trust as a means of competitive differentiation,” explains Michael Suby, IDC research vice president, security, and Trust.2 

With Zero Trust, there is no traditional network edge 

Zero trust is a significant departure from traditional security. Zero trust architectures do not automatically connect devices, even if they are using a trusted MAC or IP address. Instead, a zero trust framework combines advanced technologies such as multifactor authentication, identity, access management, and proactive next-generation endpoint security tools to protect from threats continuously.  It can also encompass data encryption.

Multifactor authentication aims to create layers of security that make it much more difficult for unauthorized users to access systems. This can be made up of a combination of passwords, biometrics, and security tokens, for example. Multifactor authentication is central to any identity and access management framework that manages electronic and digital identities.  

Privilege-based access is also key to the zero-trust framework. Every user must request privilege-based access every time they use the system. Users are only given access to parts of the system they need to complete their tasks. This demands a role-based access control (RBAC) model restricting access to systems based on employee roles in the enterprise.  

Don’t be fooled by the hype 

According to Gartner, most organizations are in the strategy stage for zero trust, so have an opportunity to lay a solid identity foundation that is imperative for zero trust to work successfully. 

Gartner recommends that organizations looking to a practical implementation should start with two core projects central to reducing risk with least privileged access and adaptive security. This included front-end network access based on the user-to-application segmentation (a.k.a. zero trust network access), and back-end network access focused on workload-to-workload or identity-based segmentation.  

Front-end network access based on the user-to-application segmentation reduces excessive implicit trust access, predominantly from remote resources. Gartner advocates that organizations start with a pilot for a zero trust network access product and then run a proof of concept (PoC) to test applications against the solution.  User behavior can be monitored in observation mode to learn patterns of access by users to formulate policies. 

Back-end network access focused on workload-to-workload or identity-based segmentation reduces implicit trust by enabling organizations to move individual workloads to a deny-by-default model, notes Gartner. This is where everything and everyone is seen as a threat unless proved otherwise. Again, it will be necessary to learn communication patterns by workloads and applications to create policies.  

Creating a zero trust culture  

To get a zero trust strategy to work, the whole enterprise must embrace the concept. To do this, you need a robust and foundational philosophy and an approach that will foster change.   

Employees can easily interpret zero trust as that the enterprise does not have trust in them. You need to make sure they understand that privileges to access are happening across the organization and not to specific individuals.  

Everyone in the organization needs to understand that they have an essential role to play in its security.  This means developing and inspiring trust in employees and raising awareness of zero trust across the organization through training and educational initiatives. Highlight how employees can spot and report suspicious behavior, for example. 

Security for a different world 

The zero trust approach relies on technologies, such as encryption, multifactor authentication, identity, and access management together with governance processes to secure the enterprise. There is no single technology out there. However, that will give you a full zero trust posture.  

You must remember, however, that implementing zero trust isn’t simply about deploying technologies nor is it achievable overnight. Zero trust is a journey that needs the support of everyone in the organization to be successful.   

To enhance your organization’s security posture with best-of-breed authentication and adaptive access control, click here.