The remote work era makes the zero trust model critical for most businesses. The time has come to use it. But first, let’s understand what it really is and why the hybrid and remote work trend makes it all but mandatory.

What is zero trust?

Zero trust is not a product or a service, but an idea or a strategy. Instead of relying on a perimeter (for example, a firewall), every user, device and app must be verified for every instance of access.

Other ideas connected with this idea include strong user identity, machine identification, network segmentation, policy compliance and others.

A student at the U.K.’s University of Stirling named Stephen Paul Marsh coined “zero trust” in his doctoral thesis in 1994. Later, the concept was briefly called de-perimeterization and perimeterless network architecture. In the end, the phrase zero trust became the most widely accepted term. Industry guidelines like Forrester eXtended, Gartner’s CARTA and NIST SP 800-207 further refined ideas and definitions around it.

Why remote and hybrid work demands zero trust

When the pandemic began, employees started working from home in their millions. It didn’t take long for threat actors to realize that the best way to break in was to enter through remote workers’ virtual private network (VPN) connections.

Each work-from-home employee, hybrid worker and digital nomad represents an expansion of the attack surface and new openings for attackers. An organization might be looking at dozens, hundreds or thousands of such employees. So, the attack surface becomes too large for older security models.

How to think about zero trust

Zero trust replaces an outdated idea. That idea? The assumption that everything ‘inside’ is trustworthy by default and that only outsiders pose threats. First, the solution was firewalls to create a perimeter. Then, VPN enabled remote employees to ‘tunnel’ into the perimeter.

This perimeter-centric view is outdated for many reasons. The rise of arbitrary mobile and wearable devices, cloud computing and the Internet of Things trend have eroded it. Now, above all, the hybrid and remote work trend have, too. It also accepts that threats often start inside the walls. Plus, cyberattacks are becoming more high-tech all the time. (There’s still a place for firewalls in zero trust networks — just not for perimeter security.)

At a high level, zero trust best practices start with several elements. They are the identification of critical assets, the establishment of strong identity systems for users, devices and apps and the use of micro segmentation. First, you need to create micro-perimeters on the networks and restricted access zones inside data centers and cloud environments. These control which people, devices and applications have permitted access to each segment, zone and resource. Beyond access restrictions, the hunt for intrusions and malware takes place thorough ongoing encrypted traffic inspection and analysis.

Process or policy?

The zero trust methodology enforces what used to exist in policies. In the past, company policies might say that only employees should access company resources. These employees had to use approved devices and apps. Policies might also call for employees to avoid rummaging through data beyond their purview.

Policies are great. The trouble is that this only guarantees security to the extent that people follow those policies.

Zero trust puts all-day, everyday enforcement of those policies into practice. The right people access the right resources using the right devices and applications. After all, only they have permission to do so. The default is every person, device and app is blocked from accessing every part of the network and everything on those parts until the person, device and app are all authorized.

Attackers are stymied at every turn in a zero trust network. If they can trick or work around user authentication, their device will be denied access. It narrows employee behavior. If one staff member decides to use an insecure app, that app won’t be allowed, even if they’re an authorized user on an authorized device.

The zero trust network architecture also helps with compliance auditing. It allows for improved visibility into user activity, device access and location, credential privileges, application states and other key factors. It also provides more data on which specific network resources have and have not been breached. Both of these are important for success.

Outsourced or in-house?

A zero trust network architecture represents a pretty radical departure from perimeter security. The decision over which parts to outsource and which to keep in-house depends on whether staff has experience with the elements of zero trust. It also depends on how well you’ve staffed in general.

It’s reasonable to outsource many parts of the transition. Then, after learning more, bring some parts in-house, depending on what makes sense for your needs. But even if you’re inclined to keep security work in-house, you might want to consider outsourcing to help with the transition.

The human element

Express the move to zero trust as part of the wider conversation about the new workplace. As we continue to adapt to remote and hybrid work, employees should be included as partners in this transition. Zero trust security is part of that.

Zero trust will impact all employees in multiple ways, including inconvenience in their workday and a learning curve up front. That’s why it’s super important to express the benefits, the link to hybrid and remote work and the impracticality of sticking with yesterday’s perimeter security mindset.

For many organizations — especially those fully embracing remote and hybrid work — zero trust is no longer an option. It’s time to trust it.

More from Risk Management

Cybersecurity Awareness Month: Horror stories

4 min read - When it comes to cybersecurity, the question is when, not if, an organization will suffer a cyber incident. Even the most sophisticated security tools can’t withstand the biggest threat: human behavior.October is Cybersecurity Awareness Month, the time of year when we celebrate all things scary. So it seemed appropriate to ask cybersecurity professionals to share some of their most memorable and haunting cyber incidents. (Names and companies are anonymous to avoid any negative impact. Suffering a cyber incident is bad…

Are we getting better at quantifying risk management?

4 min read - As cyber threats grow more sophisticated and pervasive, the need for effective risk management has never been greater. The challenge lies not only in defining risk mitigation strategy but also in quantifying risk in ways that resonate with business leaders. The ability to translate complex technical risks into understandable and actionable business terms has become a crucial component of securing the necessary resources for cybersecurity programs.What approach do companies use today for cyber risk quantification? And how has cyber risk…

Cybersecurity Awareness Month: Cybersecurity awareness for developers

3 min read - It's the 21st annual Cybersecurity Awareness Month, and we’re covering many different angles to help organizations manage their cybersecurity challenges. In this mini-series of articles, we’re focusing on specific job roles outside of cybersecurity and how their teams approach security.For developers, cybersecurity has historically been a love-hate issue. The common school of thought is that coders are frustrated with having to tailor their work to fit within cybersecurity rules. However, many companies are embracing a security-first approach, and some developers…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today