Zero trust remains one of the best ways for companies to reduce total risk. By knowing the potential risk of any request — both inside and outside the enterprise network — rather than assuming good intentions, companies can limit potential attacks.

Deploying a zero trust framework at scale, however, may cause frustration. It increases operational complexity and reduces overall productivity even as it boosts security. But with the majority of staff members now working from home — and many likely to remain at least partially remote in the future — zero trust is more important than ever.

So, what does this model look like? How do enterprises find a balance between speed and safety to help reduce the friction of zero trust initiatives — all without increasing risk?

What is Zero Trust?

Never trust, always verify. This is the essence of zero trust.

According to John Kindervag, creator of the zero trust model, the framework offers a simple way for companies to improve overall protection.

“When every user, packet, network interface and device is untrusted,” he says, “protecting assets becomes simple.”

As noted by IBM Vice President and CISO Koos Lodewijkx, however, zero trust environments are now evolving. Zero trust is no longer something enterprises have, it’s something they do.

Learn more on zero trust

Three Components of Zero Trust

In practice, this means creating a culture of zero trust that puts security over speed when it comes to approving access requests or granting data permissions. To achieve this goal, think of these three key components:

1. Architecture

Network design is essential for zero trust success. Specifically, companies must prioritize the development and deployment of microsegmented network architectures that both limit the scope of potential compromise and make it easier to manage zero trust solutions.

2. Assessment

Effective assessment of user behavior within the zero trust landscape is also critical. Many security systems now include effective two-factor authorization and other verification tactics. But enterprises must also integrate behavioral assessment — such as users logging in from a new location outside normal working hours — to reduce total risk.

3. Automation

Expanding cloud and mobile networks make it impossible for even expert teams to keep pace with potential threats. As a result, automation of front-line tasks with solutions such as machine learning or robotic process automation are critical.

The challenge? Maintaining the essential simplicity of zero trust while addressing the need for a more in-depth approach to protect evolving networks.

Why Remote Work Lends Itself to Zero Trust

The need for effective and efficient zero trust has never been greater. Security risks are on the rise, Forbes notes. With business leaders focused on making sure their staff are equipped with the right tools and tech to do their jobs, infosec gaps will appear.

Remote work itself also poses challenges for companies used to the familiar frameworks and connective confines of on-site networks.

Anytime, Anywhere, Any Device Access

The pandemic means companies now allow users to access corporate networks anytime, anywhere. And there’s no putting this approach back in the box. Employees and consumers are now used to this level of access. From a defense perspective, however, the sheer volume of access points presents a zero trust minefield.

Shifting Attack Surfaces

The move to remote work has caused a major shift in attack surfaces. With remote work and collaboration apps now essential to enterprises, threat actors found an entirely new world to exploit.

Hybrid Work Hangups

According to a recent PWC survey, while 75% of employers expect at least half of their staff will be back in the office by July 2021, just 61% of employees say the same. No matter how it all shakes out, however, the fact remains that hybrid work — the need for both in-office and at-home access — isn’t going away. From a zero trust perspective, however, there’s potential for hybrid hangups as network protection needs double.

Bigger Phish to Fry

Phishing and ransomware attacks are also on the rise. Cyber criminals look to combine social engineering and crisis operations to compromise business emails, deploy malicious code and even take advantage of users with fake vaccine campaigns. With attackers now casting as many lines as possible into corporate IT pools, robust zero trust is more important than ever.

How Context Reduces Frustrating Complexity

For Aarti Borkar, vice president for IBM Security, context is critical to effectively deliver on the potential of zero trust. While “never trust, always verify” forms the foundation of up-front zero trust access solutions, she expands the definition to include the key component of verification, noting “the right person, the right data, the right time, the right context makes all the difference in the world.”

This means getting the bigger picture when it comes to trust-based decision making. By going beyond login and resource requests to consider the larger context of user operations — such as where requests originate from, what time they occur and how the data is being used — enterprises can create zero trust models that are permissive where possible and restrictive where needed to offer both performance and protection.

For Borkar, this context is critical to help companies move from perceived trust to quantifiable trust. In effect, it creates a framework where trust is earned, rather than assumed. It sets the stage for reduced friction and complexity without reducing security.

The Human Element

She notes that outside the world of digital defense, human connections are governed by trust. Over time, both specific people and the data they provide can establish a framework of trust based on context. When it comes to IT security, meanwhile, enterprises don’t always have the luxury of interacting with users at an individual level.

Instead, context is based on a users’ specific role within the organization, the current projects they’ve been assigned and what resources they need to complete day-to-day tasks. In addition, behavioral information such as when and where users commonly log on and access key systems can also be used to help contextualize trust. The result?

“When we get down to the specifics of ensuring the right people can get to the right data, which inherently means that the wrong people can’t, and the right people can get access to only the data that matters to them, and then we’re looking at the circumstances and the timing of when they access that data, it starts making this construct of trust that we have a bit more quantifiable,” Borkar says.

Zeroing in on Context

Zero trust offers a way for enterprises to embrace the hybrid work expectations of 2021 without compromising critical protection. The caveat? Context.

To deliver on the dual potential of simplicity and security, companies must deploy context-first frameworks that ensure the right people have the right access to the right data at the right time — and for the right reasons.

More from Zero Trust

Does your security program suffer from piecemeal detection and response?

4 min read - Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include: Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud) Spending too much time or energy on integrating detection systems An underperforming security orchestration, automation and response (SOAR) system Only capable of taking automated responses on the endpoint Anomaly detection in silos (e.g., network separate from identity) If any of these symptoms resonate with your organization, it's…

Zero trust data security: It’s time to make the shift

4 min read - How do you secure something that no longer exists? With the rapid expansion of hybrid-remote work, IoT, APIs and applications, any notion of a network perimeter has effectively been eliminated. Plus, any risk inherent to your tech stack components becomes your risk whether you like it or not. Organizations of all sizes are increasingly vulnerable to breaches as their attack surfaces continue to grow and become more difficult — if not impossible — to define. Add geopolitical and economic instability…

How zero trust changed the course of cybersecurity

4 min read - For decades, the IT industry relied on perimeter security to safeguard critical digital assets. Firewalls and other network-based tools monitored and validated network access. However, the shift towards digital transformation and hybrid cloud infrastructure has made these traditional security methods inadequate. Clearly, the perimeter no longer exists. Then the pandemic turned the gradual digital transition into a sudden scramble. This left many companies struggling to secure vast networks of remote employees accessing systems. Also, we’ve seen an explosion of apps,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today