Posted on November 1, 2021
Want to interview David?Contact
The recently issued Gartner “Quick Answer” on explaining Zero Trust to technical executive leaders presents important points on examining Zero Trust concepts through a business lens. Equally, for those of us who live, eat and breathe cybersecurity, it is an essential reminder that others do not do the same, despite the daily drumbeat of news about advanced cyberattacks.
Hopefully some of the elevated attention during Cybersecurity Awareness Month, served as a reminder that strong cybersecurity is most of all a good business practice. Adopting a Zero Trust security approach confers productivity, usability and security advantages on organizations even if they are never successfully attacked. It increases business resilience and improves organizations’ ability to rapidly adapt to the dynamic information technology landscape.
Increasing cyber-resilience – the ability to bounce back in the event of an attack – benefits organizations by minimizing operational downtime, recovery costs, costs of lost business, reputational damage and if customer data is breached, possible legal action.
Here is our take on a number of important points from the Gartner research note.
Once an idea achieves a certain level of ubiquity, precise meanings may be lost in a haze of presumed familiarity. By now, few individuals who are concerned about threats to their business can have avoided the term “Zero Trust.” After all, a quick Google search turns up 880 million “Zero Trust” results and it is featured prominently on the home pages of every self-respecting cybersecurity industry player. Precisely because of the ubiquity of the term, however, it is unlikely that many of the places it’s featured includes a precise definition of Zero Trust.
That means that most business leaders, even those who are cybersecurity-savvy, know that Zero Trust is important, but it’s likely that many do not know precisely what it is and therefore why it’s important.
Many of us have been throwing around the term “Zero Trust” for so long that we have lost sight of how puzzling – even paradoxical – it is. After all, don’t organizations want to fully trust that they are protected? When talking security with business leaders, it is therefore essential to start with the fact that almost all organizations have, until now, operated with a high degree of implicit trust. And that implicit trust is what Zero Trust aims to eliminate – zero out – in favor of explicit trust, through identity/context verification and least privilege access.
Zero Trust involves a permanent change in the way companies approach privilege and risk. Products and platforms enable the operational transformation, but the first transformation must be in mindset: Understanding what must be protected – which has changed drastically in recent years – and aligning leadership attitudes toward trust.
The real work of Zero Trust is neither conceptual nor acquisitive. It is in the nitty-gritty details of understanding workflows, classifying data and critical assets, identifying and eliminating excessive privileges, and building and implementing policies and processes that adaptively translate those understandings into controls. True commitment to a Zero Trust security approach takes time, patience, deep understanding of business processes and cooperation at every level of the organizational structure.
It stands to reason that if there are strict, well-enforced limits and conditions on which individuals and devices can access specific resources, penetration attempts are less likely to succeed. Further limitations on the specific resources available to each verified individual – AKA least-privilege access – limits the scope and severity of breaches, should they occur. Finally, the “assume breach” pillar of the Zero Trust approach is actualized through continuous monitoring and reporting.
All the checking and limiting described above to rule out explicit trust sounds like a huge task. And it is. Fortunately, once the hard work of defining flows and working out access privileges is complete, it is a task that well-implemented systems are designed to seamlessly handle through policy-driven controls. The very best systems leverage machine learning to automate policy creation and updating, reducing error and bias while freeing scarce IT resources for other tasks.
Zero trust solutions streamline and integrate user access to all the assets they need, providing a consistent user experience and applying the same security controls regardless of where users are located and where resources are located.
Given the increasingly central role that private clouds, public clouds and SaaS apps play for most businesses, and the normalization of remote work, Zero Trust security is almost universally applied at the cloud edge where resources, data and users interact. Once security is moved to the cloud edge, it is inevitable that networking controls will follow. The integration of cybersecurity and networking functions will result in significant cost savings, as will replacement of costly and inherently less secure MPLS-based WANs.
When working in any field, it is easy – natural, even – to zoom in on the details that matter. But it is also way too easy to lose sight of the larger picture, the big story that is most significant for the world at large. Zero Trust security is a big story that has profound implications for how businesses will operate for years to come. It is up to us, the industry leaders, to keep telling that broader story to the stakeholders of organizations that will benefit most from the coming cybersecurity revolution.
OWASP®, the Open Web Application Security Project®, recently updated their list of the Top 10 Web Application Security Risks. An online community led by the OWASP Foundation, the project was established in 2003 to provide developers and security professionals with resources to help improve web application security. Because virtually every organization today uses web apps, […]
This year’s DBIR confirms that when it comes to data breaches, users are not their employers’ worst enemies, but they may well be their enemies’ best helpers.
Secure Access Service Edge (SASE) and Zero Trust (ZT) security are two of the most important security concepts being talked about in the industry today. Are they the same? Or different? Interrelated in some way?