Every single blog you read on cybersecurity has at least one mention of the Zero Trust approach to cybersecurity (even this one 😊). Alas, don’t consider that Zero Trust is yet another hyped word that will soon vanish into thin air. Zero Trust, originally dubbed more than a decade ago, came up as a necessity to defend systems, networks, data and people against the increasing sophistication of attackers that rendered implicit trust a vulnerability.
As the years went by, Zero Trust grew from a concept to a security and compliance requirement; the executive order on the cybersecurity of U.S. critical infrastructure places the implementation of a Zero Trust architecture at the heart of the businesses’ efforts. Despite that, the concept of Zero Trust might seem a bit vague.
Zero Trust definition and tenets
The definition of Zero Trust can be found in many publications, but here’s the one provided by Forrester a few months ago:
“Zero Trust is an information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices. Zero Trust advocates these three core principles: All entities are untrusted by default; least privilege access is enforced; and comprehensive security monitoring is implemented.”
Even that definition, focused on the three core principles of Zero Trust, might read a bit too generic. What does Zero Trust really mean for the organization? Having a shared understanding of the concept greatly helps when implementing it. The National Institute of Standards and Technology (NIST) has published NIST SP 800-207 Zero Trust Architecture, which describes the following seven tenets of zero trust.
- All data sources and computing services are considered resources
- All communication is secured regardless of network location
- Access to individual enterprise resources is granted on a per-session basis
- Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed
- The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture
The absence of a concrete solution-based approach to Zero Trust from these tenets is deliberate. Delivering a Zero Trust strategy can be done in a variety of ways. Every business needs to create a strategy and toolkit that fits with its particular requirements and preexisting infrastructure.
Stefan Lesaru, IDSA Zero Trust Technical Working Group Lead explains that “Each organization must define its own concept based on an evaluation of the current network environment and any gaps that exist. They have to embrace the concept and culture and then move towards it. Zero Trust is a journey that may take several years to realize, and each organization’s journey and final implementation will look different.”
The journey to Zero Trust maturity
Although NIST has articulated on the seven tenets of Zero Trust and provided guidance on implementing a Zero Trust architecture, organizations find themselves often troubled on how to reach the destination. To this end, it is important to consider that Zero Trust is about building confidence.
As John Kindervag, credited with coining the term, said: “Trust is a human emotion that refers to the level of confidence someone has in something, but it’s a vulnerability and an exploit in a digital system. So, for folks trying to move to a Zero Trust environment, step one is to eliminate the word ‘trust’ from your vocabulary as it relates to digital systems. Trust is binary; it is on or off. Think about using the term ‘confidence’ instead. Confidence can exist on a continuum. It’s an important distinction.”
Another important consideration is that Zero Trust is not about the destination, it is rather about the journey. “Think of zero trust as a way to operate the business in a secure way. It’s about how you actually practice security,” says Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify.
Therefore, Zero Trust is about mindset. It is a shift away from traditional zoning principles and creating isolated islands within the ocean of your company, where everyone inside the island was to be trusted. It is also about orchestrating your efforts around protecting your data. The installed base of storage capacity is expected to increase from 6.7 zettabytes in 2020 to 16 zettabytes in 2025, reflecting the rapid growth of data. Due to this unrelenting annual expansion, many organizations now have data swamps rather than data lakes.
What is your status of Zero Trust?
Varying organizations have varying needs and different constraints when setting forth their journey to Zero Trust maturity. Culture, resources, leadership buy-in, talent gap and employee retention are all factors that may foster or hinder the adoption of a Zero Trust strategy.
Most organizations have already embarked on this journey, but they lack the visibility on where they stand right now. You may be further ahead in establishing good Zero Trust foundations than you realize. Assessing your Zero Trust status is a good way to take a moment to reflect on what you have done so far and (re)align your efforts.
Tripwire has developed a self-assessment quiz to give you an instant appraisal of your status. The quiz goes ever further. It offers your helpful practical tips for next steps tailored on your assessment results.
Take the quiz now! Don’t let the perfect be the enemy of the good and make a start today to better understand and strengthen your organization’s cybersecurity.