How do you secure something that no longer exists? With the rapid expansion of hybrid-remote work, IoT, APIs and applications, any notion of a network perimeter has effectively been eliminated. Plus, any risk inherent to your tech stack components becomes your risk whether you like it or not.
Organizations of all sizes are increasingly vulnerable to breaches as their attack surfaces continue to grow and become more difficult — if not impossible — to define. Add geopolitical and economic instability into the mix, and the danger of cyberattacks has become alarmingly high. From a debilitating ransomware strike to the exfiltration of delicate customer data, the risks are tangible and potentially devastating.
Given the current context, zero trust has emerged as the most prevalent security strategy by far. The fundamental idea behind zero trust is simple: trust nothing; verify everything. Zero trust enables organizations to adopt a holistic security approach that verifies the credibility and authenticity of all users, devices and systems that interact with their networks and data. As attacks continue to escalate, companies are realizing that zero trust is becoming essential for business survival.
As with any substantial strategy change, implementing zero trust can be difficult. While many companies have started the journey, few have successfully implemented an organization-wide zero trust security approach. In fact, Gartner predicts only 10% of large enterprises will have a mature and measurable zero trust program in place by 2026.
Are there any ways to facilitate a faster move to zero trust?
Moving forward on zero trust security
Zero trust is more a security philosophy rather than a security architecture. For this reason, a successful transition to zero trust security requires strong leadership. Business leaders must avoid the misconception that zero trust is just another set of security tools. If done correctly, adopting zero trust is taking charge of a new core security strategy for the entire organization. And this requires someone to claim ownership over driving the change.
How critical is the need for this new approach? The Pentagon plans to implement a zero trust architecture across its entire enterprise by 2027, according to Department of Defense CIO John Sherman. This is further backed by an announcement from the Executive Office of the President about government-wide zero trust goals. Top-level buy-in is essential to move forward with zero trust implementation.
Key concepts of zero trust governance
As the perimeter model for security has become obsolete, context has emerged as the most viable way to envision secure networks and data. The question is who (or which software or machines) should have access to what, when and for how long? Zero trust mandates that security teams capture and use information from across the business to create context. This enables quick and automated decision-making about each connection’s trustworthiness. And given today’s attack surface fluidity, execution must be continuous and AI-assisted.
Organizations frequently drop the ball on zero trust since they fail to grasp the underlying governance required. Once these concepts are fully understood, then the right tools can be selected to make zero trust a reality.
A zero trust governance model is determined by:
- Context definition. Context means understanding users, data and resources to create coordinated security policies aligned with the business. This process requires discovering and classifying resources based on risk. From there, resource boundaries are defined and users are classified according to roles and duties.
- Verification and enforcement. By quickly and consistently validating context and enforcing policies, zero trust provides adaptable but secure protection. This requires AI-assisted monitoring and validating all access requests against policy conditions to grant the right access quickly and consistently to the right resources.
- Incident resolution. Resolving security violations through targeted actions helps reduce the impact on business. This requires preparation and context-specific action, such as revoking access for individual users or devices, adjusting network segmentation, quarantining users, wiping devices, creating an incident ticket or generating compliance reports.
- Analysis and improvement. Continuous improvement is achieved by adjusting policies and practices to make faster, more informed decisions. This requires continuous evaluation and adjustment of policies, authorization actions and remediation tactics to secure each resource.
The risks of not implementing zero trust security
The IBM Security X-Force Threat Intelligence Index 2023 reveals that phishing remains the top way attackers gain access (41% of incidents evaluated) to sensitive data and networks. For example, LockBit is perhaps the most active and dangerous ransomware today. During the past several weeks alone, reports have surfaced naming the threat group in breaches of the U.K. Royal Mail, the Argentine Grupo Albanesi, Indian chemical business SRF, over 200 CEFCO convenience stores in the southern US and a Portugal water authority.
LockBit usually gains a foothold through phishing and social engineering techniques. While employee cyber awareness makes a difference, a finite number of phishing attempts are likely to result in a breach. And once LockBit attackers gain entry, they will seek to elevate access privilege.
Privileged users have elevated access to critical systems, data and functions. But security solutions must vet, monitor and analyze their advanced entitlements to protect resources. As a cornerstone of zero trust, privileged access management (PAM) and its cousin identity and access management (IAM) can discover unknown accounts, reset passwords automatically and monitor anomalous activity.
PAM is one way zero trust strategy manages, protects and audits privileged accounts across their life cycles. The same security measures can apply to devices, servers and other endpoints with administrative privileges. Both PAM and IAM are tools available now, and these methods can successfully detect and deter Lockbit-like intruders attempting to gain access to sensitive data.
The alternative is to rely on employee cyber training, ineffective firewalls and antiquated first-generation identity as a service (IDaaS) solutions to catch intruders who can lurk in networks for months before being detected.
Zero trust secures the new perimeter-less reality
Modern security should allow work from any place on any device with access to tools and data within any ecosystem. It should provide real-time context across all domains. Meanwhile, threats continue to grow in severity and sophistication. This is why organizations are quickly moving to implement zero trust solutions. Leveraging a standard, cloud-based authentication platform would be a critical first step to modernizing identity services for zero trust.
In conclusion, zero trust has moved far beyond the conceptual phase. In some enterprises, it already supports tens of millions of internal and external identities. With the rise of cyber threats, the time for zero trust is now.