Zero Trust vs. Too Much Trust
In a Zero Trust Relationship, it’s not you, it’s me. Or more accurately – it’s not you, it’s the business necessity of keeping information and identities protected within an organization at all costs. Zero Trust is the idea of a framework that is built around the premise of continuous validation: always questioning who someone is and what they want to do. While this may sound like the ending to a bad relationship, the concept of this model has quickly become mainstream along with the technologies that support it. The popularity can be contributed in large part to the growing number of data breaches, despite an organization’s efforts to allocate trust based on internal and external network verification. So why are organizations rushing to throw their trust out the window?
While an organization’s greatest asset is its people, these assets also pose the greatest risk. Compromised accounts and user identities remain the number one avenue cybercriminals are using to gain access to company data, and it’s no longer safe to assume that everything inside the internal network is secure. Even with sophisticated security measures to guard an organization’s perimeters, a risk of being hacked still exists and proper precautions need to be taken to ensure that hackers don’t have free range of critical internal systems once they breach the firewall. IT leaders should start by reconsidering the way they think of networks. Organizations are evolving to support the changing workforce dynamic, and this means understanding that environments are now made up in large part of cloud applications being accessed by complex user groups (employees, contractors, vendors, partners) from a multitude of devices in a variety of places. An organizations’ security framework should be reflective of this modernization. Enter Zero Trust.
Business Value & Functionality of Zero Trust
Before we break down the business value of Zero Trust, let’s take a look at the two primary forms of functionality and how Zero Trust works:
- Verifying who someone is (creating authorization policies that include intelligent information about who a user is, such as what device they are using or where they are logging in from)
- Verify what they are doing/trying to do (including behavioral patterns)
By applying intellectual context around users that is dynamic to each instance, your security posture evolves from being based on a static rule to real-time analysis of attributes for validation. Zero Trust functions on the notion of not trusting any user and creates validation by continually asking questions to build the trust (think of an early stage relationship and the game of 20 questions…). In addition, it operates on the concept of allotting users the least amount of access they need to conduct their job responsibilities. An employee in Marketing should not need access to applications in Payroll, and that action should be flagged. These policies are enforced by leveraging micro-segmentation and granular perimeter enforcement based on users, their locations, and other data deemed pertinent by the administrator.
The Case for Zero Trust
So why should an organization enter into a relationship with Zero Trust? In an era when security breaches are running rampant, internal users are struggling to maintain even basic security habits such as password management, and the fines for a breach can be devastating (not to mention the damage to a company’s reputation). As such, an organization must put the best interest of user information and the shareholders above their trust. While this ideology may seem like a flawed relationship, it is quickly becoming the new standard for best business practice to promote good security posture. While adopting a Zero Trust framework is a large undertaking that takes effort, many organizations have already begun implementing the technologies that is to pave the way – such as MFA and IAM. By leveraging the solutions that are already in place, extending them cohesively across the entire environment, and bridging any gaps with complementary technologies of the same framework, organizations can realize the benefit of a Zero Trust philosophy. The transition does not happen overnight, however, and the more complex the IT environment, the longer an organization can expect to spend in the transition period. This is particularly true of companies heavily invested in legacy systems. Aside from the obvious complexities of choosing, implementing, and synthesizing technologies specific to this framework, one of the most difficult parts of shifting to Zero Trust is getting the IT staff on-board with this radical new way of thinking. It’s no longer feasible for an organization to exist blissfully under the assumption that they are protected behind their ‘castle’ firewall.
Zero Trust is not only a modern framework to help ensure the IT security of an organization, but it’s also a road-map for implementing the technologies necessary to maintain a secure and efficient organization that can keep pace with the digital transformation of a business in the 21st century!