



What does “Zero Trust” mean?

Invented by Forrester Research in 2010, ZeroTrust is a cybersecurity model available to businesses that eliminates risky, implicitly trusted interactions between users, machines, and data. The Zero Trust model provides a process for organizations to protect themselves from threats, regardless of which vector the threat originated from. From all over the world or from Sandy under the hall. The three main principles to follow in order to realize the benefits of this model are:

Ensure secure access to all resources, regardless of location. Adopt a least privilege strategy and strictly enforce access control. Inspect and log all traffic.

Eleven years later, these ideas and principles have matured in the face of the proliferation of digital transformation, remote work, and personally owned devices. New principles have been developed in the light of the US federal government mandating zero trust. It was codified in NIST 800-207 and explained in more detail in NCCoE’s Zero Trust Architecture. The principles are as follows:

Move from network segmentation to protecting resources such as assets, services, workflows, and network accounts. Use strong authentication to make authentication and authorization (both subject / user and device) a separate feature that runs in every session. Ensure continuous monitoring.

Why is this important in cyber security?

The move to Zero Trust is one of the more important changes in the way businesses approach security. Prior to adopting the Zero Trust concept, most companies sought to manage security as a gate function. When the transaction was validated in the gate area, it was essentially trusted.

This approach is problematic because threat vectors do not always occur outside that area. It also continues to embrace digital transformation and hybrid workforce worldwide, overriding the notion of resources that exist only behind the gates. The zero trust method requires continuous validation of each element of every dialogue, including all users, machines, applications, and data, regardless of where it occurred. There is no area of ​​implicit trust.

What is the spin around this buzzword?

Today, many vendors have commercialized Zero Trust, naming their products “Zero Trust Solutions” rather than admitting that Zero Trust is a model and strategic framework, not a product solution. Looking at the cybersecurity market, we can see that vendors are trying to claim that the supposed title is “Zero Trust Player”.

However, upon closer inspection, these vendors typically only support a single principle of zero trust. For example, create a tunneling service between the user and the application. This is consistent with adopting the second original principle, the least privilege strategy, and strict access control. However, the same vendor can fail the first principle. Ensure secure access to all resources, regardless of location. If the user implicitly trusts that it is not a threat vector, it will not scan for malware or exploits in the tunnel.

Others may cover only some aspects of the original original principle, such as trying to claim identity or approval checks create zero trust. Vendors may also suggest that you only need to scan web-based traffic. However, if only partial coverage of the model is implemented, the enterprise is at risk of creating implicit trust that is exposed to the vulnerabilities covered by the remaining principles.

Our advice: What should executives consider when hiring Zero Trust?

The first step is to restructure the idea of ​​how to protect the enterprise and move from a gated approach to an approach that continuously validates all interactions. To help that shift:

It defines the resources that your company needs to protect, where they are, and the interactions that need to flow through them. Remember that users, applications, infrastructure / devices all need to cover every interaction they create. Understand that interactions consist of identity, access, device / workload, and transactions.

Then make changes in your plan, starting with the company’s most important users, assets, and interactions. They are the gems of your crown and can be related to finance or intellectual property. Then, over time, expand the scope to include all interactions. The plan needs to cover how users, applications, and infrastructure go through each of the four parts of the dialogue when requesting resources.

The final step in this transformation is actually a recurring event. That is, maintenance and monitoring.

Take advantage of continuous monitoring to consider all and intermittent checks that occur. Look for ways to improve your current model as standards continue to evolve, covering more and more interactions.

Questions for your team to successfully hire Zero Trust

What are system-critical datasets, applications, and features? How can each of the four parts of all dialogues to these resources be protected, regardless of who or what is requesting them? What are your plans to continuously monitor critical events such as logs to facilitate baselines and detect anomalous behavior? What are your strategies for choosing vendors to support your Zero Trust goals? Also, do we need to do more things that the product cannot cover? What is your strategy from covering one resource to completely covering all resources? And what scalability do products and people need to do this?

Click here for more information on what full Zero Trust Security looks like.

