From keynote presentations from the cybersecurity industry’s biggest events to everyday headlines, everyone seems to be talking about Zero Trust. The Biden administration has now even mandated it for government agencies. Numerous security vendors have put it in their marketing materials, but what is it, how did we get to this point, and how are organizations and now federal agencies putting it into practice?
Essentially, Zero Trust is a strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating each stage of a digital interaction. We find implicit trust in many places within the IT infrastructure, such as the trust of users who are at headquarters different from those who work remotely from their homes. Imagine that airports don’t check your identity until you go through the first security check. Theoretically, once you’re in the concourse, you’d be free to bypass your scheduled flight and board any flight around the world. Zero Trust is the opposite: it implements continuous authentication regardless of the user. Your ID will be checked at the security checkpoint, then your boarding pass will be checked at the gate and finally the flight attendant will make sure you are seated in the correct assigned seat. No one is trusted, even after passing an initial security check.
The past two years have dramatically accelerated the move to hybrid work, prompting many security teams to rethink their security approach for remote users. However, this approach needs to be extended across infrastructure, including major digital transformation initiatives such as the move to the cloud, which has significantly increased a company’s potential attack surface. The 2020 SolarWinds attack showed everyone how dangerous a world without Zero Trust can be: thousands of organizations were compromised. It’s time for organizations to take Zero Trust seriously as a holistic strategy to ensure they protect what matters most.
A misconception that seems to persist is that Zero Trust is a product you can buy. Unfortunately, buying a single security product does not inherently make an organization “Zero Trust”. As cyber-attacks continue to escalate, security professionals feel compelled to deploy a vast array of different tools. In fact, most organizations I speak with today use more than 50 different technologies within their digital environment. This “Whac-A-Mole” security game, where a new tool is acquired and deployed with each new threat, has created an enormous amount of complexity, put pressure on security teams and compromised the overall security level. The combination of accelerating digital transformation, evolving threats and overwhelming levels of security complexity have made a comprehensive Zero Trust approach an absolute necessity. Analyst firm Gartner agrees, predictive 60% of organizations will embrace Zero Trust as the starting point for security by 2025.
A Zero Trust approach, when properly executed, provides an opportunity to rebuild security in a way that fits with these important changes and covers key areas such as users, applications and infrastructure with ideas such as least-privileged access, continuous trust authentication and continuous security inspection, as well as protection of all data and security for all applications.
Once Zero Trust controls and best practices are in place, the Security Center will also play a critical role in the continuous validation of those policies. It does this by continuously monitoring and leveraging advanced techniques, such as behavioral analytics and AI, to identify gaps and security vulnerabilities that are impossible to detect with an individual analyst or tool. Finally, Zero Trust empowers companies to simplify by consolidating individual tools, streamlining policies, and finding ways to automate and orchestrate.
As businesses and now government agencies begin to implement Zero Trust architectures, every Zero Trust initiative must be proposed, presented and approved at the very highest levels of an organization, including executive stakeholders, practitioners and the board. This approach is what we call becoming a true “Zero Trust Enterprise” and avoids the pitfalls of self-contained, individual technology initiatives. As the CTO of an organization that implemented this exact approach internally several years ago, I have seen first hand the benefits of approaching Zero Trust in a holistic manner, which is higher overall security levels and operational efficiencies.