If you’re anywhere in the IT or cybersecurity industry today, one phrase is among the most pervasive, and that’s Zero Trust. For example, the Cybersecurity Executive Order (EO) mentions it 11 times.
But what exactly is Zero Trust? And why is it considered so important in today’s digitally connected ecosystem?
Zero Trust isn’t a new term or concept; organizations such as Google and Forrester have been evangelizing the concept for a decade. You’ll no doubt hear countless definitions and explanations of this concept when talking to IT professionals. The best bet is getting guidance from reputable organizations not tied to any specific vendors or technologies. These include the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA), both of which have released their own guidance. The National Institute of Standards and Technology (NIST) publication 800-207 Zero Trust Architecture is another great place to begin learning more about it.
At a high level, Zero Trust is a security model focused on the reality that cybersecurity threats exist both within and external to an organization and its system boundaries. Traditional security was predicated on a wall and moat style of defense, with a tough exterior and soft inside. But that is an antiquated way of approaching cybersecurity, and it essentially allows malicious actors to run rampant once they breach that fortified perimeter. It is also a failure-prone model when you consider the prevalence of insider threats and the reality that they often don’t need to traverse the perimeter whatsoever.
Pillars of Zero Trust
Zero Trust is predicated on some fundamental principles, such as never trusting, assuming a breach has already occurred, and explicitly verifying all access requests. CISA’s Zero Trust Maturity Model is structured around 5 pillars: identity, device, network/environment, application/workload, and data. This is all on a foundation of visibility and analytics, automation and orchestration, and governance.
In many ways, it’s a reiteration of traditional security practices, such as least permissive access control and continuous monitoring. That said, it is further advanced by the rapid maturation in technology capabilities. Utilizing modern Zero Trust tools from cloud service providers and third-party vendors, organizations can implement capabilities that were once very difficult, if not impossible. That includes things such as contextual access control where you can take criteria such as geographic location, device posture, user behavioral analytics, and more into consideration to support access decisions. Microsoft Azure’s conditional access control policies, which utilize signals to support decisions and enforcement, is a perfect example of this.
Data at the center of protection
Zero Trust essentially shifts from a location-centric model, which is gone in the modern remote workforce paradigm, and shifts to a data-centric approach. Implementing controls between users, systems, data, and your organizational assets is absolutely critical to mitigating risk. Today’s digitally driven economy is predicated on digital platforms and technologies and supported by a workforce that is no longer geographically constrained. That means your security model shouldn’t be either.
Organizations should be adopting a Zero Trust security model that revolves around key principles and practices that put data at the center of your protection efforts and don’t require legacy ways of thinking in terms of internal and external threats. Every access request can pose a threat and should be treated as such. Adversaries are ultimately after the data, and that’s where we should be prioritizing our security efforts accordingly. Adopting a Zero Trust model of security helps get organizations closer to this reality.