There are three guarantees in cybersecurity: ransomware attacks, changing perimeters and new buzzwords. For the last decade, zero trust has been the buzzword of what every security team, tool, approach and framework should be achieving. Now in 2021, we’re seeing an onslaught of ransomware, work environments still in flux with Forrester, NIST and everyone in-between saying it is the answer. But what is zero trust, actually?
In this four-part series, we’re uncovering everything from the basics of zero trust to walking you through how to build a long-lasting strategy. Buckle up because in this blog we’re diving into:
- What is zero trust?
- The problem it is solving and how to achieve zero trust
- Is this approach right for your organization?
What is zero trust?
As implied by the name, zero trust is a security strategy in which no device or user is to be trusted or allowed access until verified and approved.
Before we further explain, it is important to highlight that this isn’t a tool or set of solutions. You can’t buy zero trust. Rather, it is a framework executed through policies implemented through (existing) tools and workflows.
Essentially, this approach takes everything we know about cybersecurity and flips it. Traditionally, the objective was to protect the attack surface. If we put up gates and locked our doors, then attackers wouldn’t be able to get in.
Recent breaches prove that method isn’t as secure as it should be. Security teams cannot control attacks. Instead, this method prioritizes what we can control, which is protecting valuable assets – data.
The idea is that when data and information are secured by policies, it will not be as catastrophic when an attacker infiltrates the environment.
The challenge it is solving and how to achieve zero trust
Past approaches lived off the motto of “trust but verify”. There was the automatic granting of trust if the user or endpoint was within the perimeter. The continuous digital transformation and evolution of advanced threats create additional risk from malicious actors with rogue credentials.
“Never trust, always verify” is the updated motto and core of zero trust. It is achieved through continuous monitoring and validation of users, devices and privileges. Teams need to identify all service and privileged accounts and then create controls regarding what and where they connect.
Ultimately, the goal is “to prevent unauthorized access to data and services coupled with making the access control enforcement as granular as possible.”[1] This is achieved through the following components:
Zero trust model: The commitment from the organization to deploy policies to work towards achieving zero trust.
Zero trust architecture: A cybersecurity plan based on zero trust principles designed to prevent data breaches and limit internal lateral movement through and encompasses component relationships, workflow planning and access policies.
Zero trust enterprise: The network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as the byproduct of a zero trust architecture plan.
Is this approach right for your organization?
To make it simple, yes. Zero trust strategies apply to all environment types. If your organization and its environment store any valuable information, then this strategy can, and should, be implemented to reduce the risk of a breach.
With that said, what are you trying to protect?
[1] NIST Special Publication 800-207: Zero Trust Architecture