No, Zero Trust Isn't Impossible - Here's How to Achieve It

If you missed it the first time around, Zero Trust, at its simplest, is a model for information security – one that denies access to data until the user, device or network is proven to be legitimate.

Zero Trust works by enforcing three core principles across IT security applications:

1. Nobody is trusted as a default setting
2. Users have least privilege access to perform only the tasks they need and no more
3. Constant security monitors a wide variety of parameters changes and denies access in response to user/network changes

Zero Trust: From buzzword to key security concept

The Zero Trust model was initially popularized by Forrester in 2010, but it quickly fell out of favor among senior IT leaders and enterprises for several reasons:

• The risk of technical misinterpretation: Zero Trust has often been incorrectly interpreted to mean not trusting anyone under any circumstances
• Marketing buzzwords: The tendency to throw around the ‘Zero Trust’ term in marketing led to increased skepticism and rejection of the concept

By the mid-to-late 2010s, Forrester had revisited the concept with Zero Trust eXtended (ZTX), doubling down on data protection along with integration for a single view of the business and its sprawling IT ecosystem. Even then, they remained focused on micro-perimeters, before the trend toward perimeter-less security won favor among CISOs and IT operators.

Fortunately, now that IT security has matured and the CISO role is more formalized across enterprises, the value proposition of modern Zero Trust in a cloud-centric environment is clearer.

What is the modern definition of Zero Trust?

Today, the concept, if not the phrase “zero trust” itself, is used by the likes of the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST). They promote it as an agnostic maturity model to measure business readiness to defend itself against cyberattacks and ensure data is accessedproperly through valid network and component relationships, workflow planning and secure policies.

The aim of Zero Trust is to reduce the number of weak points (accounts, supervisor accounts and passwords) and attack vectors to as close to zero as possible. The fewer there are, the less risk.

In the IT world, firms use segmentation and rules-based approaches, often powered by machine learning, to eliminate weaknesses, making use of Identity Access Management (IAM) and Privileged Access Management (PAM) tools to bring existing IT on-premises systems up to speed.

As mentioned, perimeter-less security is the new goal. As enterprise IT has become more cloud-centric, being perimeter-less makes more sense, with many businesses faced with a nebulous and ever-changing perimeter that is impossible to defend with traditional security tools.

Why should people reconsider Zero Trust?

There are plenty of major IT breach examples where perimeter-less security would have made a difference, which is why the institutions like NISA are exhorting governments and enterprises to adopt it. The US government initiated a major security drive following the Colonial Pipeline leak, while more recent breaches including Samsung and Okta highlight the need for live visibility into who has access to what data.

Modern perimeter-less, identity-focused security enables this, with a strong user and worker experience, providing almost frictionless access to the applications and data that they need, with no access to applications they shouldn’t be using and no ability to share data beyond rightful owners.

From this fresh perspective, enabled by a change towards identity-focused thinking, Zero Trust empowers businesses to operate using hybrid and remote working models. As trust gaps grow between multiple offices, partners and distant collaboration, they must be addressed through future-proof IT security thinking.

The benefits of Zero Trust

With the rise in remote and hybrid working, and many enterprises seeking to upgrade their applications, Zero Trust is a great framework of choice for  business or digital transformation efforts. As an IT security-led initiative, it can prevent a business from seeing reputational or financial damage from a breach long before the users are ever aware of a problem.

Zero Trust also helps as enterprises have to deal with more government or industry compliance initiatives, reducing dependence on legacy security and VPN applications, while playing a key role in updating overall business and IT security.

How to implement Zero Trust in your organization

IT and security are increasingly focused on aligning with business strategic and operational goals. A key benefit is that implementing Zero Trust as a specific strategy or as part of a wider digital or security initiative will follow the same pattern.

Start by scoping your Zero Trust initiative in terms of objectives and measurable results, build a team to implement it and follow the standard product evaluation and research tasks to identify candidates that fit with existing and planned IT.

You may find you need to convert some leaders or operators who have long-standing reasons to object to Zero Trust. A primer on the modern application and its benefits, and what it does not stand for, should help in this matter.

Then, roll out a test or trial example on a system that will deliver an easy win and proof of concept before engaging in wider deployment across the organization, measuring metrics carefully and highlighting each Zero Trust “save” as a big win against potential chaos.