By Pragati Verma, Contributing Editor, Straight Talk
Faced with rising cyberthreats and the need to protect their increasingly remote workforce, organizations are turning to a zero-trust strategy.
More than 90 percent of the organizations polled by Osterman Research reported plans to deploy a zero trust architecture enterprise-wide or within multiple business units. Enterprises are not the only ones changing their security strategy. The US Office of Management and Budget has also announced a zero-trust framework for all federal networks and systems.
Covid-19 and the resultant acceleration in digital transformation have increased the demand for trust, according to Frank Dickson, Program Vice President, Security and Trust, IDC. During a podcast How to Build Trust in the Current Threat Landscape, he says,” When Covid hit, we had a re-architecture of our priorities because the first thing CEOs wanted was to maintain business operations. After we made it through that crisis, trust programs have become a top priority.”
What is Zero Trust
Zero Trust starts with the assumption that all network traffic, no matter its pedigree, may be malicious. This amounts to treating every user, every device, and every service that requires access to an organization’s network as hostile, until proven otherwise.
In its report titled, The Definition of Modern Zero Trust, Forrester analysts explain, ”Zero Trust is an information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices.”
According to Forrester, Zero Trust advocates three core principles:
- All entities are untrusted by default
- Least privilege access is enforced
- Comprehensive security monitoring is implemented
What It isn’t
The concept sounds simple, but seems to be causing a lot of confusion. In a blogpost, Forrester’s senior research analyst David Holmes and senior analyst Jess Burn writes, “At the beginning of 2022, Zero Trust faces a bizarre dichotomy; it’s on the verge of becoming the de facto cybersecurity approach while simultaneously having many security practitioners decry it as “just a marketing ploy.” How did we, as the security community, arrive at such a precarious perch?”
A big part of the problem is that vendors are shaping the narrative “from their highly subjective, self-serving perspective.” One of the biggest challenges facing Zero Trust adoption is a lack of clarity on what it isn’t.
“Zero trust is a way of thinking, not a specific technology or architecture,” writes Gartner Distinguished VP Analyst Neil MacDonald in the research firm’s article New to Zero Trust Security? Start here. “It’s really about zero implicit trust, as that’s what we want to get rid of.”
One key point, according to the Forrester analysts, is that it isn’t a security awareness and training strategy. They explain, “There’s no need for the vast majority of end users in an organization to have any familiarity with this concept at all. Pushing Zero Trust concepts to end users will likely backfire from an awareness and training perspective as the perception of having “zero trust” implies a lack of trust in employees.”
A New Roadmap for Security
The big question facing organizations new to the concept is, how to start deploying the Zero Trust architecture. John Watts, Sr Director, Analyst, Gartner offers advice in a podcast Prepare Your Organization for Zero Trust, “Don’t start with a project. The way you want to do is to start with a strategy and that strategy will lay a foundation.”
According to Mr Watts the foundation of Zero Trust is based on identity. “Lots of zero trust concepts in the security policies are built around the concept of an identity and knowing who somebody is with some assurance and being able to add context to that.”
He goes on to recommend a network-related security project: “From a network perspective, one of the first [project]we see is Zero Trust Network access. It is designed to replace wide open VPNs — legacy VPNs that allow anyone who is plugged to be connected. It’s a fairly low-hanging fruit for many organizations. It allows them to gain some Zero Trust capabilities and replace something that may be legacy at the same time.”
It’s a journey
Despite the excitement around the concept, analysts warn that organizations working toward Zero Trust might never achieve it.
“Getting to 100 percent is not the end-goal. It’s more of a journey than a destination. Along the way, we are going to improve the processes, improve our security posture, reduce risk, and make improvements overall. That vale in pursuing Zero Trust mindset is really in how you apply these principles and how you work to produce that implicit trust and improve your risk posture,” sums up Gartner’s Watts.