Cybersecurity, like broader technological disciplines, is an ever-changing landscape that industry professionals must adapt to. The zero-trust model of cybersecurity has grown recently as organizations update their security practices to keep pace with, and stay ahead of evolving threats. Zero Trust Network Access (ZTNA) increased by 230% from 2019 to 2020, and more than 80% of C-suite leaders cite zero-trust as a priority for their enterprises.
The increased use of zero trust is partly due to the shift toward more hybridized workplaces, necessitating new security solutions to accommodate employees accessing networks from both on- and off-premises. Although more organizations are choosing to adopt this model, it is difficult to understand what zero trust actually means in practice. The World Economic Forum published a community paper in order to provide clarity on what zero trust is, its benefits and challenges, and how to effectively implement it.
What is zero trust?
Difficulties understanding zero trust can lead to difficulties in implementing it. Definitions vary and contradict each other, and overuse of the term has watered it down somewhat. Zero trust is not an automatic fix for all cybersecurity worries, nor is it a single product or service that can revolutionize cybersecurity practices. Rather, it is a model of security that covers a range of different safety measures and practices, as well as an overall shift in how organizations approach cybersecurity.
The WEF report defines zero trust as:
“A principle-based model designed within a cybersecurity strategy that enforces a data-centric approach to continuously treat everything as an
unknown – whether a human or a machine, to ensure trustworthy
behaviour.”
The benefits of zero trust are many. It can limit security breaches, as compared to perimeter-based models, lead to a greater degree of understanding of security and better network protection, allow visibility into the network, and allow workers to safely access corporate resources both on- and off-premises. There are challenges to it as well, including the required commitment of resources to buttress long-term implementation, the necessity of a detailed inventory of applications, assets, devices, networks, access rights, and users. There is also the component of the difficulty of gaining and maintaining staff support for changing security infrastructure. Fortunately, there are steps that can be taken in order to mitigate these quandaries.
Guiding principles of zero trust
The main doctrine of zero trust is “never trust, always verify,” but the full explanation is more complex. All organizations should analyze their own needs and abilities to determine how best to implement zero trust for their purposes, but there are some key guiding principles for a broad approach to zero trust.
- Establish no trust by default – assume cyber threats can come from both within and outside of the corporate network.
- Ensure visibility – map the surface of the network and maintain automated and continuous visibility into resources.
- Apply trust with dynamic and continuous verification – continuously and dynamically verify and validate access for all users and devices to all resources.
- Use “least privilege” – limit user access rights to only necessary resources for the role of the user or device.
- Ensure the best possible end-user experience – use security controls that do not negatively impact end-user experience or productivity.
Best practices and steps for successful deployment
Zero trust is a process that must be approached systematically, and constantly revisited, not a one-and-done solution. Best practices for deploying a zero-trust framework include a sequence of steps to be taken in order to guarantee both the highest possible level of security and the smooth process of implementation.
The first step is to ensure buy-in across the organization. In order to effectively implement zero trust, support and resources are required from every area. All should be able to participate in the project of implementing zero trust and should be kept aware not only of the changes being made, but the reasons for those changes. Since the process may require adjustment to the workflow, the strategy should be presented as an enterprise-wide initiative that recognizes the potential for group discomfort with these changes. For effective security measures and less disruption, teams should explore practices currently in place and determine what additional resources are required.
Second, it is vital to understand and map the “crown jewels,” the organization’s most critical applications, data, devices, and users. Cyber leaders must spearhead this initiative. Zero trust reduces the attack surface by breaking up networks into micro-perimeters. The goal is to halt an attacker’s progress toward critical areas, as well as constantly verifying users and devices. Inventory changes must be diligently updated, along with access rights for all devices and resources.
Third, teams should introduce adequate control mechanisms, establishing a clear view of the scope of the strategy, and identifying priority cases that address higher risks. It is best to use available technologies, recalibrate and retain existing security practices, and ensure that guidelines are observed and updated.
The fourth step is the actual implementation of the zero-trust model. This must be aligned with business priorities, and may be deployed in smaller use cases before expanding. Organizations can appoint an officer to oversee and deliver the roadmap for the shift, seeking assistance from external experienced sources.
Finally, the maintenance, monitoring, and improvement of the model is crucial. Organizations must constantly evaluate and challenge the approach to zero trust, including aspects like maintaining the integrity of an organization’s assets. Developing insight into present threats is also important to refine strategies to match evolving risks. This step also includes exploring mechanisms for continuous improvement and adaptability. Zero trust practices must keep up with new technology and the changing digital landscape. Cloud security is one prominent area where zero trust can work with evolving technologies to secure networks.
One of the main facets of successfully implementing a zero-trust model is understanding zero trust beyond the conflicting definitions and varying approaches. Zero trust is a model to be used in addition to and in conjunction with existing practices, and the teams deploying the framework must understand best practices, develop a clear plan, and the path forward to integrating new technologies. All employees play a role in adopting and maintaining the model, and should be kept apprised of what new practices are being introduced and why. The transition to a zero-trust security model is a journey rather than a destination, and requires a large commitment to work properly.
Another key to success is to be able to hear how others have worked to make zero trust a reality in their organizations. Read our eBook to find out more.
About the Author:
PJ Bradley is a writer on a wide variety of topics, passionate about learning and helping people above all else. Holding a bachelor’s degree from Oakland University, PJ enjoys using a lifelong desire to understand how things work to write about subjects that inspire interest. Most of PJ’s free time is spent reading and writing. PJ is also regular writer at Bora.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
