Zero-trust is without a doubt the new buzzword of cybersecurity, and a trend that has dominated discussions around the security priorities of both public and private-sector organizations over the past several years. It’s an approach that treats each and every user, device, application and workload as untrusted and does not grant access to any resources until a device or identity has been tested and verified.
As organizations embark on their zero-trust journeys, there will be countless vendors eager to provide their assistance and expertise. However, before even engaging with prospective vendors, there are several things organizations should consider doing.
In fact, to successfully implement zero-trust, they must understand that zero-trust is not a solution that can be purchased or installed, or a simple task that can be checked off a to-do list. It is rather an ongoing project and journey with no expiration date; and a change in mindset on how one wishes to operate their business in a secure way.
What is Zero-Trust Security?
2022 might be the year that zero-trust is implemented in a mainstream way. Large global corporations like Microsoft continue to develop and implement zero-trust security frameworks and models, while the White House is also taking a greater stance on zero-trust initiatives, as illustrated in President Biden’s Executive Order, which was published earlier this year.
But…what exactly is zero-trust? Where did it come from? And most importantly, how can it be effectively implemented to enhance the security posture of an organization?
While zero-trust can often get lost in marketing jargon, it’s critical framework that has the power to not only reduce the known security risks of the past, but also reduce the new and evolving security risks of the future — if and when put into practice correctly.
Simply put, zero-trust is about eliminating the level of trust from an organization’s network architecture. A term first coined in 2010 by then-Forrester Research analyst John Kindervag, zero-trust follows the motto of “never trust, always verify,” instead of the traditional mantra of “trust, but verify.”
In many ways, zero-trust can be viewed as a natural expansion and evolution of the least-privilege approach, where users are only given the level of access needed to fulfill their job role and responsibilities.
However, with zero-trust safeguards, even when a user has already been authenticated once, an organization may have additional authentication requirements in place and block them from any applications or services for which they do not have permission. This helps eliminate the risk of lateral movement by any attackers who successfully enter an organization’s network.
How Do Organizations Start Their Zero-Trust Journey?
Implementing zero-trust is very much about how you practice security within the organization and about having zero assumptions — not vendor solutions. Organizations do not become a zero-trust shop, they practice a zero-trust mindset.
It’s also critical to remember that every organization’s zero-trust journey will be different, addressing unique and specific business risks that will vary depending on size of the organization and the industry it operates within.
I’m actually not a big fan of the name “zero-trust” and prefer to think of it as continuous verification or making zero assumptions — but the security approach of the zero-trust mindset is a solid baseline on how organizations should put into practice to reduce the risks from cyberattacks.
Don’t Worry About Vendors
The first step should be creating a detailed inventory of all the devices, users and systems that exist within the network, which will help identify where security gaps may exist. From there, organizations can then develop a list of clear security goals that they would like to achieve on their zero-trust journey.
For example, what security controls in the organization should be enhanced and by when? This will help dictate the steps required to achieve such outcomes. It is only after the completion of a full inventory of assets, coupled with a strategy with clear outcomes defined to address specific cybersecurity goals, that discussions with legitimate vendors should commence.
Vendor partners can help develop supplemental and unique plans moving forward. Most vendors provide features that will help put in place zero-trust security controls to help you on your journey and it is important to map out the risks that you want to apply a zero-trust framework and mindset to.
Culture Change & Zero-Trust Accountability
Organizations must also recognize that zero-trust is a collective, collaborative and cross-functional effort within an organization. While IT and security teams will play a significant role in the development and implementation of zero-trust frameworks, their work alone will not be highly effective. Executive and senior leadership support and buy-in is another important, often overlooked component of successful initiatives. Executives should be actively involved when creating zero-trust plans to ensure implementation into existing and future organizational strategies.
As for execution and delivery, there should be a clear blueprint as to who is responsible for various parts of a zero-trust framework. Security and non-security focused teams must work together to address and remediate issues, while keeping expectations realistic. Zero-trust is a journey with multiple phases and multiple steps to maturity, wherein the short-term return on investment may be difficult to convey and measure.
Zero-trust represents a significant change in organizational culture and mindset. It is an approach where every activity and user are considered privileged, and therefore require continuous verification; an approach that can help organizations establish a baseline for security controls that need to be repeated and force cybercriminals into taking more risks.
Finally, it is a philosophy that ultimately gives cyber-defenders and security teams a stronger chance of detecting attackers early and preventing catastrophic cyber-incidents. Zero-trust is all about reducing the risks and making it more difficult for cybercriminals to be successful.
After all, the more we force cybercriminals to take more risks, the more noise they’ll make — thus giving the cyber-defenders a better chance at detecting them early enough to prevent serious security incidents from occurring.
Joseph Carson is Chief Security Scientist and Advisory CISO at ThycoticCentrify.
Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.