Zero trust is not something you can just buy; you need to build it consistently across your organization. In a recent report, Cisco stated that nearly 90% of organizations have embraced zero trust security. But of the 4,700 global information security professionals surveyed, only 2% said they have mature implementations, with the majority (86.5%) beginning to implement some aspects of zero trust.
So where and how should organizations start without trust?
Zero trust is a popular marketing slogan for IT security companies, but it can be difficult to pin down its meaning. That’s because Zero Trust is not simply a solution you can buy, but rather a plan to rethink fundamental security assumptions. The current interest in it reflects a broader cultural change where companies and governments are hardening their attitudes towards risks of all kinds.
Zero trust is a security strategy that encompasses a set of security principles, including:
- Verify every time
- Use the least privileges for access
- Suppose a breach has already occurred
Ultimately, the zero trust approach builds on the concept of privileged access control and adds more layers of security to build 365-degree protection. In a world where security threats have created deep paranoia, IT professionals must remove implicit ‘trust’ wherever possible. So the approach becomes ‘never trust, always verify’.
Head of Cyber Security, CSI Ltd.
Zero Trust as a framework for an IT security architecture
Zero trust is best defined as a framework to secure a complex network from internal and external threats, especially when many security incidents arise from misuse of user data.
IBM explains Zero Trust as a philosophy that assumes that every user and every connection poses a threat, and thus the corporate network needs protection against these potential risks. It includes several security measures to provide continuous network monitoring and validation to ensure that each user has the correct permissions and attributes:
- Records and inspects all corporate network traffic
- Restricts and controls access to the network
- Verifies and secures network resources
Zero trust is therefore a framework in which authentication, authorization and validation are used to secure user access from inside and outside the network, and this includes cloud-based connections and remote workers. It manages the permissions given to each device, the applications they can run, and the data they can access, store, encrypt, and transport.
A zero trust approach is recommended because now, with increasing remote work and so many organizations relying on the cloud for their networks, the traditional network edge has been eroded and there is a more diverse mix of users, technologies and applications that need to be secured .
Even more challenging is how traditional security policies and tools are less effective in modern IT environments, creating new headaches for security professionals.
Best practice for IT security in the cloud
Zero trust is fundamentally different from traditional privileged access management, which focuses only on the security of users within the network and does not protect against cases where a user’s credentials are misused. A zero trust approach must also protect the network from risks arising from the broader cloud-based environment.
The threats are increasing daily
Cybersecurity threats have risen to new levels since 2023, with a worrying new wave of state-sponsored cyber activities targeting institutions. Phishing remains the biggest threat and causes 90% of data breaches. Microsoft mitigated an average of 1,435 distributed denial-of-service attacks per day in 2022, an increase of 67%. As of 2023, there have been 300,000 new malware incidents every day, attempting to gain unauthorized access or disrupt IT systems. While Gartner predicts that 45% of organizations will experience a cyber attack in the supply chain by 2025.
Given these frightening statistics, why are organizations so slow to adopt zero trust?
The reason for this is that zero trust requires a new security paradigm, which requires time, resources, skills and the right products. Many organizations are looking at zero trust in the context of their own cloud-connected architectures, with an extensive network utilizing public and hybrid cloud and remote working. They often have fixed compliance needs. They will typically have a mixed estate and their old architecture does not easily support the ideas of the zero trust model. It may not support modern authentication methods or secure protocol. It may seem like an entirely new security architecture is needed.
Additionally, IT security specialists are often preoccupied with continuously monitoring and managing response to alerts. There are concerns that adding more products would make the whole setup more complex to manage and maintain.
Identity is key
As more market research emerges, analysts are increasingly drawing connections between breaches and compromised and misused privileged credentials. Reportedly, 80% of breaches target user data. Companies must therefore ensure that a robust identity strategy is at the top of their agenda. In digital transformation projects, enterprises are faced with controlling data access and security for their own employees, contractors, suppliers, customers and devices.
Identity is the ‘new’ perimeter in a cloud-native world. Allowing references without challenge or validation goes against industry best practices and wisdom, exposing an organization to greater risk. Identity, as shorthand for managing and validating user access and rights, remains the one constant in today’s way of working.
Finding a feasible way to build zero trust
A zero trust policy can be broken down into a number of smaller, manageable parts, based on NIST’s five-phase security model. Vulnerability scanning, attack surface management, and asset management can be grouped together and all fall under the “identify” phase. Identity management and SSO/MFA fall under the ‘protect’ umbrella. Anti-malware/EDR, SIEM, MDR services, and Log Management all fall under the “detect” umbrella.
For each phase in the model, there are one or more cybersecurity tools, such as risk-based multi-factor authentication, identity protection, endpoint security, and encryption, that can be used to build that part of the security architecture. It is useful to provide clarity and define an approach that achieves the zero trust ambition.
The most practical approach is to use the model to build zero trust around the technology and managed services you already have and do as much as you can with them.
The key to success is putting together a suite of tools from the best vendors to comply with the zero trust model without adding unnecessary complexity. You need to choose instruments that fit together and that, once operational, provide a set of levers that you can use to manage your zero trust policy on a day-to-day basis. Once you have these in place, you will be better protected and significantly reduce the risk of a cybersecurity breach.
We have listed the best online cybersecurity course.
This article was produced as part of Ny BreakingPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of Ny BreakingPro or Future plc. If you are interested in contributing, you can read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro