Have you ever walked up to an ATM after another person finished with the machine only to find they left it on a prompt screen asking, “Do you want to perform another transaction?” I have. Of course, I did the right thing and closed out their session before beginning my own transaction. That was a mistake an individual made by careless error which could have cost them hundreds of their own currency. Now imagine this same individual fails to adhere to proper access control measures at work and exposes the business to millions in lost revenue, or a ransomware threat.
This incident is very similar to many of the simple oversights that people make every day that can lead to some serious personal inconveniences. On a larger scale, such a misstep in a corporate environment can result in a business disrupting security event.
The 7 Tenets of Zero Trust
This is only one of the reasons that the latest approach to a mature security program is the adoption of a zero trust architecture. While the name may seem to reek of “Techno Buzzword,” zero trust is a serious security strategy. The National Institute of Standards and Technology (NIST) has released Special Publication 800-207, simply titled “Zero Trust Architecture,” which offers guidance for organizations seeking to start along the zero trust journey.
Amongst the most important parts of SP 800-207 is the introduction of 7 “Tenets of Zero Trust:”
- All data sources and computing services are considered resources.
- All communication is secured regardless of network location.
- Access to individual enterprise resources is granted on a per-session basis.
- Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
- The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.
With the constantly evolving threat landscape, and the bad actors growing more effective every year, the need for dynamic control of access to data, systems, software, or even components of a system cannot be brought on fast enough.
In today’s landscape, we now see Ransomware, and Malware each offered “as a Service.” There are very adaptive organizations that can leverage attacks across the broadest and most sophisticated networks and still find a way in. The zero trust model is a solid foundation designed upon very thoughtful principles that would limit the exposure for any organization, even if a threat makes it through the boundary controls. As companies adopt and use zero trust to design better security, they can reduce the threat surface low enough to significantly curb their risk.
The seven tenets of a zero trust architecture require serious knowledge, and diligence to achieve. Like all business initiatives, it’s easier to start small and grow your scope later. Don’t just consider this from a network and system coverage point of view—use this same principle to consider the behavioral and identity related data as well.
Hear from the experts
We understand the challenge, so we asked our experts to offer their impressions about the seven tenets. Our eBook gives more than just insight into each of these principles, it also asks the question “what challenges have you faced” when implementing each of the tenets. We spoke with security leaders, as well as practitioners, giving a fully rounded view of how an organization might get started towards embracing zero trust. Most importantly, we asked “what advice would you give to others” for achieving each tenet.
Embracing, and making zero trust a reality in your organization is a big task. The most important thing is to get started now and keep focused on the ideal end state. You can continually evolve the effectiveness of your model by including more data as you gain a greater understanding of your environment, your routine business operations, and how to accurately understand business risk.
Another key to success is to be able to hear how others have worked to make zero trust a reality in their organizations. Read our eBook to find out more.