With millions of employees across the U.S. experimenting with work-at-home scenarios for the first time, many organizations are taking a fresh look at a Zero Trust security strategy. A convergence of trends and technologies, combined with a new awareness of the risks of relying solely on perimeter defenses for protection, may make this the right time for Zero Trust to go mainstream.

IT security has traditionally been based upon a perimeter defense model, like the moat-ringed castles and walled cities of the Middle Ages. The idea is to keep intruders out of the shared space while assuming those inside the walls can be trusted enough to roam (more or less) freely.

The perimeter security strategy has been under siege for years thanks to the proliferation of connected devices that networks must now accommodate. Recent events have further underscored the limitations of perimeter defenses as IT organizations have struggled to accommodate a sudden surge of remote workers connecting for the first time from home computers that are outside of IT’s control.

Trust No One

Zero Trust flips traditional cybersecurity on its head by assuming that no one can be trusted. While that may sound a bit draconian, it’s actually easier for everyone when done right.

Not that it’s easy. To make Zero Trust work, adopters need to make an organizationwide commitment. They need to catalog all of their IT and data assets and assign access rights based upon roles. In the process, they need to lock down some common vulnerabilities. For example, web servers should never be permitted to talk directly to other web servers and should only communicate with application servers through specified ports.

Data also needs to be classified. Some information, such as the company team’s softball schedule, may require no protection at all. Trade secrets and other proprietary data need multiple levels of authentication by a restricted class of users.

Networks need to be segmented to prohibit lateral movement, which has long been the culprit in big data breaches. Workloads have to be isolated from each other and protected as they move across virtual machines and cloud servers. Managing such an environment has been a daunting task until recently, but the landscape is changing.

Examples of Zero Trust

The first important development is that multifactor authentication (MFA) is finally going mainstream, with business adoption growing to 57 percent last year — compared to 45 percent the year before — according to LastPass. MFA uses secondary and even tertiary forms of authentication, ranging from hardware devices to codes texted to a cell phone. While not perfect, it’s a huge step beyond the rudimentary password security that long ago ceased to be effective.

A major technology development is the maturation of software-defined networking (SDN), in which network management moves out of physical firewalls and switches and into software. Network segmentation is far easier to implement in an SDN network because segments are defined by software and managed by policies. A recent Verizon study found that 57 percent of organizations expect to implement SDN within two years — up from just 15 percent that have adopted it today.

A third important development is the arrival of robust identity and access management (IAM) systems. These software platforms, which are typically delivered as a service, create federated identities that travel with users throughout the corporate network and cloud applications. IAM enforces authentication policies defined by the organization. Users sign on once to reach most of their applications, relieving them of the need to track multiple logins and passwords.

Zero Trust Doesn’t Happen Overnight

Zero Trust isn’t simple to implement. The ideas above can help your organization start in the right direction, but don’t beat yourself up if you can’t overhaul your strategy in a month or even a quarter. It took Lexmark two years to completely overhaul its network serving 8,500 users around Zero Trust principles, according to Silicon Angle.

The process required classifying all of the company’s data and IT assets and closing holes like default administrative rights on personal computers. Chief information security officer (CISO) Bryan Willett spent a lot of time explaining the decision to skeptical users, but the results have been worth it. It’s now easier for them to get the data they need, and the company’s security readiness score, as measured by a third-party service, has jumped significantly.

As organizations prepare for whatever business disruptions may lie ahead, a Zero Trust model may give them one less thing to worry about.

More from Zero Trust

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Why Zero Trust Works When Everything Else Doesn’t

The zero trust security model is proving to be one of the most effective cybersecurity approaches ever conceived. Zero trust — also called zero trust architecture (ZTA), zero trust network architecture (ZTNA) and perimeter-less security — takes a "default deny" security posture. All people and devices must prove explicit permission to use each network resource each time they use that resource. Using microsegmentation and least privileged access principles, zero trust not only prevents breaches but also stymies lateral movement should a breach…

What to Know About the Pentagon’s New Push for Zero Trust

The Pentagon is taking cybersecurity to the next level — and they’re helping organizations of all kinds do the same. Here’s how the U.S. Department of Defense is implementing zero trust and why this matters to all businesses and organizations. But first, let’s review this zero trust business. What is Zero Trust? Zero trust is the most important cybersecurity idea in a generation. But “zero trust” is itself a bit of a misnomer. It’s not about whether a person or…

Effectively Enforce a Least Privilege Strategy

Every security officer wants to minimize their attack surface. One of the best ways to do this is by implementing a least privilege strategy. One report revealed that data breaches from insiders could cost as much as 20% of annual revenue. Also, at least one in three reported data breaches involve an insider. Over 78% of insider data breaches involve unintentional data loss or exposure. Least privilege protocols can help prevent these kinds of blunders. Clearly, proper management of access…