The Zero Trust slogan is ‘Never Trust, Verify Everything’.
To truly protect your organization today, you must implement a Zero Trust security model and operate by its core principles of:
Zero Trust security continuously verifies user-access permissions (human and machine) to all requested resources (on-prem, cloud and hybrid), and monitors and compares user actions to baseline behavior analytics to check for anomalies that may require elevated verification and/or immediate action.
Zero Trust Security is a proven model for implementing robust and selective cyber security. Zero Trust involves removing vulnerable permissions, unnecessary access and excessive access in favor of specific delegation and proper provisioning with fine granularity.
For most organizations, implementing Zero Trust is already an ongoing security project that defines all their efforts in this space. The key to building out is identity: securing identities, implementing correct and durable processes to manage identities, and pulling privileged identities under complete control and monitoring. When these fundamentals are in place, organizations can step up to implementing least privilege stances, constant authentications and begin investing in next generation technologies like ZTNA which radically depart from the legacy systems currently in use.
A simple way to start the journey would be to implement zero trust (and trust networks) is to use segmentation to create isolated zones based on security policies. For example, a network can have a high-trust zone for internal users and devices, a low-trust zone for external users and devices, and a no-trust zone for untrusted or unknown entities. Each zone can have different authentication and authorization mechanisms, encryption standards, firewall rules, and monitoring tools. This way, segmentation can help reduce the attack surface, limit the lateral movement of attackers, and enforce the principle of least privilege.
Zero Trust success starts with casting the net wide enough in order to tackle identity sprawl. This means focusing not just on people, but also on machine identities and ever-expanding accounts as organizations move to a multi-generational, hybrid and edge, IT landscape. If you draw the circle too small, you stand to leave the side door open to bad actors.
Another key prerequisite is to shift your mindset from the historical approach of seeking to protect everything – by optimizing for security at the perimeter – to assuming that compromise is inevitable and instead optimizing investments to verify everything. By leveraging contextual awareness, session monitoring, and behavior analytics, organizations can more quickly and efficiently anticipate, detect, and take corrective actions on emerging threats to the organization.
Finally, Zero Trust can be challenging to implement into an already existing infrastructure because they must be retrofitted to fit the existing network. For existing systems, applications and networks, IT managers need to determine how Zero Trust can be overlayed into the existing environment.
A primary blocker to delivering on the promise of Zero Trust is the fragmented nature with which most organizations address access rights today. The average large enterprise uses 25 different systems to manage access rights (source: The 3rd Annual Global Password Security Report). This siloed approach causes limits visibility, and causes gaps, inconsistencies, and even more risk. The underlying complexity of this approach also forces organization to grant always-on privilege.
Many forward-looking organizations aspiring to implement Zero Trust are now looking at the problem differently. By viewing the problem in a more holistic fashion and taking a unified approach to identity security – bridging silos and ensuring all identities are correlated and visible – they are able to better and more quickly add, remove, and adjust privilege just in time, which is a cornerstone of a Zero Trust strategy.
A second, and related, blocker is the lack of automation around integrated workflows between applications. Given the disjointed nature of how many organizations pursue Zero Trust, this is common. Even when organizations bring together best-of-breed solutions together to address the various elements of Zero Trust (e.g., identity and privilege), there is a good deal of friction given the products are not integrated. In order to streamline activities and attain optimal results, organizations should prioritize automated orchestration.
Many of the reasons Zero Trust projects fail are already listed above – e.g., not casting the net wide enough across all identities, failing to shift your mindset to focus on continuous verification, and pursuing this strategy in a fragmented fashion.
One additional point of failure is thinking small and short term. Even in the early stages of planning, it is important to recognize that the threat landscape – as well as the IT landscape -- are no longer static. It is important to implement a cybersecurity strategy that is flexible and dynamic, which is not locked into a specific set of processes or constrained by your hybrid infrastructure. By becoming continuously adaptive, you can quickly pivot to changes in user roles/responsibilities, to changes IT infrastructure, and of course to new and developing threats