Ask a group of IT security professionals to give their opinion on zero trust and you’re likely to receive a range of different responses. Some see it as little more than the latest industry fad, while others consider it a ‘must have’ strategy that can aid the battle against cyberattacks.
To understand zero trust’s potential impact on an IT security infrastructure, it’s first important to understand exactly what the term means. According to analyst firm Forrester, zero trust is an information security model that denies access to applications and data by default.
Forrester goes on to say that, under zero trust, threat prevention is achieved by only granting access to networks and workloads utilising policy informed by continuous, contextual, risk-based verification across users and their associated devices.
The three pillars
In essence, a zero-trust strategy is built on three fundamental pillars of understanding. The first is that all entities are untrusted by default and security teams should assume that a breach is inevitable or has already taken place.
The second pillar is that least-privilege access needs to be enforced at all times. The identity of every application or user requesting access must be confirmed each time they make a request.
Thirdly, a system of comprehensive security monitoring is required. This will allow an organisation’s security team to ensure that every action is logged and analysed to determine whether or not it poses a threat to the infrastructure.
Why zero trust is needed right now
The need for zero trust comes from the fact that the vast majority of security incidents stem from credential theft or phishing attacks. Attackers are no longer trying to brute force their way into a target infrastructure but instead are looking for legitimate keys that will allow them to essentially use the front door.
Another driver has come in the form of heightened government awareness of the issue. Following some high-profile attacks against public infrastructure in recent years, governments around the world are looking for ways to ensure that security defences are increased and levels of potential risk are reduced.
A third driver is the changed conditions that exist in the wake of the global pandemic. Workforces are now much more distributed and are likely to remain that way for years to come. As a result, organisations need to find more effective ways to protect IT infrastructure and users regardless of their physical location.
A journey rather than a destination
When considering a zero-trust strategy, it can be tempting for an organisation to think of it in terms of a set of products or tools that overcome a particular challenge. They may believe that, by investing in the right technologies, they will be able to achieve the level of protection required.
Reality, however, is somewhat different. Zero trust is actually an ongoing journey during which elements and approaches need to be constantly evaluated and refined.
Any organisation that believes it can deploy a set of tools and the job will be done is being misled. A longer-term journey will be needed during which additional components may be required and existing security measures amended to ensure there is a robust level of protection in place.
Undertaking a zero-trust strategy
For many organisations deciding to embrace the concept of zero trust, the first question to arise is where to begin. They need to decide what changes need to be made to existing security measures and where additional capabilities need to be incorporated.
The initial step is to gain a clear understanding of exactly what digital assets need to be protected. Critical assets need to gain the most attention followed by those which are deemed ‘important’ and those which are ‘standard’ in nature.
The way in which those assets are accessed then needs to be reviewed. A clear understanding of who needs to access these assets and through which avenues is required to ensure that other parties are locked out.
When these steps have been completed, technical measures can be put in place that, together, can create a zero-trust environment. Only those parties with specific permission are able to access assets and do so after confirming their identity each and every time.
Maintaining the strategy
Once a zero-trust framework is in place, an organisation needs to manage and monitor it to ensure effective protection is maintained. At this point, automation tools can be used to streamline processes and take some of the pressure off IT security teams.
At all times, there needs to be a process of continuous evaluation of the effectiveness of all measures in place to ensure they are delivering the level of IT security the organisation requires.
A zero-trust strategy has much to offer organisations as they strive to prevent cyberattacks and disruptions. By taking the time to understand what is required, and following the steps needed to achieve the goal, they can be much better prepared for any threats that may arise in the future.