The zero trust model is going mainstream, and for good reason. The rise in advanced attacks, plus IT trends that include the move to hybrid cloud and remote work, demand more exacting and granular defenses.

Zero trust ensures verification and authorization for every device, every application and every user gaining access to every resource. This is a complete departure from the old model, where implicit trust was the norm and networks were protected by firewalls, VPNs and web gateways. After all, in the past it was safe enough to assume anyone or anything inside the firewall could be trusted.

What Is Zero Trust?

The concept was formally modeled and named in 2010 by Forrester Research principal analyst John Kindervag. (More detailed definitions are available in industry guidelines such as Forrester eXtended, Gartner’s CARTA and NIST 800-207.) But the idea has become mainstream in security circles in the past year. That’s because the sudden rush to remote work in 2020 exposed the flaws of the implicit trust model. It became clear that hijacking a remote worker was the key to entering the firewall via employee VPNs.

Zero trust has bonus benefits, too. It helps with compliance auditing and offers better insight into networks. It also bolsters the project of microsegmentation — closing off different parts of the network to prevent an intruder from gaining access to everything.

One of the biggest challenges to adopting this model can be summed up in one word: legacy. Older authentication protocols, tools, apps and other resources may be more difficult to integrate into a zero trust system. And that’s why the movement is driving a new push to replace legacy systems.

Discover zero trust

New Thinking With Today’s Tools

Zero trust isn’t a product. It’s a mindset and a holistic approach that relies on new kinds of governance.

Developers dragoon existing tech and planned changes (such as transitions to hybrid cloud environments) into service to implement zero trust. It takes advantage of well-known tech like identity and access management, endpoint solutions, identity protection tools and multi-factor authentication.

At its core, the zero trust mindset sees what authorization really means. Which is to say, an authorized user accessing an app they have permission to access over an authorized channel from an authorized device is the only scenario that maxes out safety. If any part of this is off the grid, access should not be granted.

We need a cultural pivot — a paradigm shift in how we think about digital defense. A zero trust model is dynamic and constantly changing. After your system verifies the user and device and assures minimum access, it’s vital to monitor, learn and adapt. That means zero trust is a growing, adaptable process.

Trust No One

The zero trust paradigm shift calls for thinking in a new way. In terms of authentication, everything is a resource. Employees, user devices, data sources, services and more — they all have the same status: the system doesn’t let them in by default.

Instead of a set-it-and-forget-it method, resource authentication is dynamic and applied each time a new request for access comes in. The key that unlocks the power of zero trust is real-time visibility into user IDs, device behavior, device credential privileges, device location, app update status and other attributes.

In addition, the zero trust mindset reduces the role of the perimeter. You can secure communication, for example, in the same way whether it’s coming from an unknown outside source or from inside the organization’s internal communications platform. Thinking a different way about everything sounds like a big change, but it’s a matter of using today’s tools in a different way — and keeping your data safer by doing so.

More from Zero Trust

Effectively Enforce a Least Privilege Strategy

Every security officer wants to minimize their attack surface. One of the best ways to do this is by implementing a least privilege strategy. One report revealed that data breaches from insiders could cost as much as 20% of annual revenue. Also, at least one in three reported data breaches involve an insider. Over 78% of insider data breaches involve unintentional data loss or exposure. Least privilege protocols can help prevent these kinds of blunders. Clearly, proper management of access…

What CISOs Want to See From NIST’s Impending Zero Trust Guidelines

Cybersecurity at U.S. federal agencies has been running behind the times for years. It took an executive order by President Joe Biden to kickstart a fix across the agencies. The government initiative also serves as a wake-up call to enterprises lagging in getting zero trust up and running. Several organizations, including the Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) responded to the president’s order with detailed…

Cost of a Data Breach: Infrastructure

During the pandemic, businesses and consumers saw firsthand what happens when infrastructure fails. In 2019, the global critical infrastructure protection (CIP) market size was valued at $96.30 billion. It is predicted to grow to $154.59 billion by 2027, with a CAGR of 6.2%. On top of that, each time an organization in a critical sector is the victim of any type of cybersecurity incident resulting in data loss, the event counts as a critical infrastructure data breach. Let's take a…

Companies Without Zero Trust Could Lose $1M More During a Data Breach

In recent years, the mindset for cybersecurity has shifted. It isn't a matter of if a company has a breach, but rather when a company has a breach. With the increase in cybersecurity incidents, most if not all companies will be victims of a data breach at some point. However, the latest research shows that organizations using zero trust can save more than $1 million during a breach.  Record High Costs for Data Breaches According to the 2022 IBM Cost of…