Kiran Bhujle, Cybersecurity Leader at SVAM International Inc. and Adjunct Faculty, Technology Risk Management at Columbia University ERM.
In the dynamic and ever-changing world of cybersecurity, conventional security methods that rely on perimeter defenses are no longer adequate to safeguard organizations against sophisticated cyber threats. Consequently, the zero-trust strategy has emerged as a revolutionary approach to bolstering cybersecurity.
This article delves into the key concepts, core principles and implementation considerations of zero trust, highlighting its pivotal role in establishing a highly secure and robust digital ecosystem.
What Zero Trust Is
Zero trust is not a product that can be purchased off the shelf or accomplished quickly; instead, it is a progressive journey that spans multiple years. This security strategy withholds implicit trust from users, devices or applications solely based on a specific property, such as their network location. Instead, it assumes potential breaches and diligently verifies each request as if it originated from an untrusted network.
Beyond being just a theoretical concept, zero trust is a concrete security model, prominently featuring segmentation within the internal security zone. This segmentation is achieved through a service-based or microservice architecture, effectively inserting an additional security layer between virtual machines. Segmentation offers significant benefits by isolating and establishing boundaries, thus minimizing the risk of a significant security compromise. Each security boundary acts as an alert mechanism, enhancing overall protection.
Considering the prevalence of distributed workforces in modern digital business models, zero trust becomes even more crucial in fortifying the security posture of organizations. It ensures that robust security measures are consistently applied to maintain a secure digital environment regardless of the geographical location or network from which requests originate.
Why Zero Trust?
In the past, data was stored and maintained exclusively within an organization’s physical premises, with security measures focused on monitoring and protecting all incoming and outgoing data. The belief was that everything within the premises could be trusted. However, the workspace concept has evolved significantly, expanding beyond the confines of organizational walls. Employees can access the organization’s assets from mobile devices or cloud software, regardless of location. As a result, security parameters are no longer confined to the traditional boundaries of an organization.
Data is constantly being exchanged between various entities, including SaaS applications, IaaS applications, IoT devices, remote users and data centers. This extensive data exchange exposes it to increased vulnerability, providing cybercriminals with multiple entry points to exploit in order to breach our secure network.
Principles Of Zero Trust
The concept of zero trust encompasses numerous aspects, yet it can be refined into the following core principles.
Never Trust; Always Verify
Every time a user, application or device initiates a new connection, it is essential to authenticate and authorize that attempt, regardless of whether it originates from within the corporate network. Trust cannot be assumed automatically for these connections.
Implement Least Privilege
Grant users and applications only the necessary access required to fulfill their job responsibilities effectively without going beyond those requirements. This involves implementing measures such as just-in-time and just-enough-access controls, risk-based adaptive policies and data protection mechanisms to limit the access of users, services and applications.
Assume Breach
Assuming that a breach has occurred or is likely to occur at any time, every user, device or application attempting to access network resources is treated as potentially untrusted, regardless of location or previous trust status. This ensures continuous authentication, authorization and verification of every access request, regardless of whether it originates from within or outside the organization’s network.
How Organizations Can Start Their Zero-Trust Journey
1. Identify the attack surface.
Identifying the surface is crucial in implementing a zero-trust security approach. It involves thoroughly assessing and understanding the various points within an organization’s network, systems and applications that malicious actors could target.
2. Map the data flows.
Understand how data moves within an organization’s network and systems. Visualize and document the paths data takes from its source to its destination, including the interactions between users, applications and services. Organizations can gain insights into potential vulnerabilities, access points and security requirements by mapping data flows.
3. Build a pilot zero-trust environment.
Set up a pilot zero-trust environment by designing and deploying a scaled-down version of the zero-trust architecture to evaluate and verify its efficacy before broader adoption.
4. Create a zero-trust policy.
Establish guidelines, measures and practices required to deploy a zero-trust framework where no entity or activity is inherently trusted and strict access controls are enforced at every level.
5. Expand the zero-trust landscape.
Adopt the pilot deployment approach, broaden the application of zero-trust principles beyond traditional boundaries and extend its reach to encompass various aspects of an organization’s ecosystem, including cloud, IoT, supply chain, AI/ML, etc.
6. Continuously monitor.
Implement robust monitoring and analytics capabilities to assess the zero-trust implementation effectiveness continuously. Leverage real-time threat intelligence, user behavior analytics and incident response mechanisms to promptly identify and respond to emerging threats.
Final Thoughts
By introducing these fundamental steps mentioned above, organizations can establish the groundwork for a zero-trust journey, ensuring the company’s and its workforce’s safety and security. Adopting a proactive “assume breach” mindset in cybersecurity enables organizations to anticipate and assess risks rather than relying solely on reactive measures in the face of a cyber crisis.
This approach helps empower organizations to be well-prepared for inevitable security challenges, allows for a thorough analysis of potential risks and enables teams to adapt and respond effectively to emerging threats.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here