April 27, 2023 By Jonathan Reed 4 min read

How do you secure something that no longer exists? With the rapid expansion of hybrid-remote work, IoT, APIs and applications, any notion of a network perimeter has effectively been eliminated. Plus, any risk inherent to your tech stack components becomes your risk whether you like it or not.

Organizations of all sizes are increasingly vulnerable to breaches as their attack surfaces continue to grow and become more difficult — if not impossible — to define. Add geopolitical and economic instability into the mix, and the danger of cyberattacks has become alarmingly high. From a debilitating ransomware strike to the exfiltration of delicate customer data, the risks are tangible and potentially devastating.

Given the current context, zero trust has emerged as the most prevalent security strategy by far. The fundamental idea behind zero trust is simple: trust nothing; verify everything. Zero trust enables organizations to adopt a holistic security approach that verifies the credibility and authenticity of all users, devices and systems that interact with their networks and data. As attacks continue to escalate, companies are realizing that zero trust is becoming essential for business survival.

As with any substantial strategy change, implementing zero trust can be difficult. While many companies have started the journey, few have successfully implemented an organization-wide zero trust security approach. In fact, Gartner predicts only 10% of large enterprises will have a mature and measurable zero trust program in place by 2026.

Are there any ways to facilitate a faster move to zero trust?

Moving forward on zero trust security

Zero trust is more a security philosophy rather than a security architecture. For this reason, a successful transition to zero trust security requires strong leadership. Business leaders must avoid the misconception that zero trust is just another set of security tools. If done correctly, adopting zero trust is taking charge of a new core security strategy for the entire organization. And this requires someone to claim ownership over driving the change.

How critical is the need for this new approach? The Pentagon plans to implement a zero trust architecture across its entire enterprise by 2027, according to Department of Defense CIO John Sherman. This is further backed by an announcement from the Executive Office of the President about government-wide zero trust goals. Top-level buy-in is essential to move forward with zero trust implementation.

Key concepts of zero trust governance

As the perimeter model for security has become obsolete, context has emerged as the most viable way to envision secure networks and data. The question is who (or which software or machines) should have access to what, when and for how long? Zero trust mandates that security teams capture and use information from across the business to create context. This enables quick and automated decision-making about each connection’s trustworthiness. And given today’s attack surface fluidity, execution must be continuous and AI-assisted.

Organizations frequently drop the ball on zero trust since they fail to grasp the underlying governance required. Once these concepts are fully understood, then the right tools can be selected to make zero trust a reality.

A zero trust governance model is determined by:

  • Context definition. Context means understanding users, data and resources to create coordinated security policies aligned with the business. This process requires discovering and classifying resources based on risk. From there, resource boundaries are defined and users are classified according to roles and duties.
  • Verification and enforcement. By quickly and consistently validating context and enforcing policies, zero trust provides adaptable but secure protection. This requires AI-assisted monitoring and validating all access requests against policy conditions to grant the right access quickly and consistently to the right resources.
  • Incident resolution. Resolving security violations through targeted actions helps reduce the impact on business. This requires preparation and context-specific action, such as revoking access for individual users or devices, adjusting network segmentation, quarantining users, wiping devices, creating an incident ticket or generating compliance reports.
  • Analysis and improvement. Continuous improvement is achieved by adjusting policies and practices to make faster, more informed decisions. This requires continuous evaluation and adjustment of policies, authorization actions and remediation tactics to secure each resource.

The risks of not implementing zero trust security

The IBM Security X-Force Threat Intelligence Index 2023 reveals that phishing remains the top way attackers gain access (41% of incidents evaluated) to sensitive data and networks. For example, LockBit is perhaps the most active and dangerous ransomware today. During the past several weeks alone, reports have surfaced naming the threat group in breaches of the U.K. Royal Mail, the Argentine Grupo Albanesi, Indian chemical business SRF, over 200 CEFCO convenience stores in the southern US and a Portugal water authority.

LockBit usually gains a foothold through phishing and social engineering techniques. While employee cyber awareness makes a difference, a finite number of phishing attempts are likely to result in a breach. And once LockBit attackers gain entry, they will seek to elevate access privilege.

Privileged users have elevated access to critical systems, data and functions. But security solutions must vet, monitor and analyze their advanced entitlements to protect resources. As a cornerstone of zero trust, privileged access management (PAM) and its cousin identity and access management (IAM) can discover unknown accounts, reset passwords automatically and monitor anomalous activity.

PAM is one way zero trust strategy manages, protects and audits privileged accounts across their life cycles. The same security measures can apply to devices, servers and other endpoints with administrative privileges. Both PAM and IAM are tools available now, and these methods can successfully detect and deter Lockbit-like intruders attempting to gain access to sensitive data.

The alternative is to rely on employee cyber training, ineffective firewalls and antiquated first-generation identity as a service (IDaaS) solutions to catch intruders who can lurk in networks for months before being detected.

Zero trust secures the new perimeter-less reality

Modern security should allow work from any place on any device with access to tools and data within any ecosystem. It should provide real-time context across all domains. Meanwhile, threats continue to grow in severity and sophistication. This is why organizations are quickly moving to implement zero trust solutions. Leveraging a standard, cloud-based authentication platform would be a critical first step to modernizing identity services for zero trust.

In conclusion, zero trust has moved far beyond the conceptual phase. In some enterprises, it already supports tens of millions of internal and external identities. With the rise of cyber threats, the time for zero trust is now.

More from Zero Trust

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Does your security program suffer from piecemeal detection and response?

4 min read - Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include: Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud) Spending too much time or energy on integrating detection systems An underperforming security orchestration, automation and response (SOAR) system Only capable of taking automated responses on the endpoint Anomaly detection in silos (e.g., network separate from identity) If any of these symptoms resonate with your organization, it's…

How zero trust changed the course of cybersecurity

4 min read - For decades, the IT industry relied on perimeter security to safeguard critical digital assets. Firewalls and other network-based tools monitored and validated network access. However, the shift towards digital transformation and hybrid cloud infrastructure has made these traditional security methods inadequate. Clearly, the perimeter no longer exists. Then the pandemic turned the gradual digital transition into a sudden scramble. This left many companies struggling to secure vast networks of remote employees accessing systems. Also, we’ve seen an explosion of apps,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today