What Is zero-trust security, and should your business adopt it?
When I started in cybersecurity over 20 years ago, the focus was on minimizing the attack surface or ways that a threat actor could get in. Since then, a lot has changed, including our approach to mitigating cyber risk and protecting data and digital ecosystems.
Today, a new focus is on a zero-trust security architecture.
The zero-trust architecture goes beyond the traditional “trust but verify” approach towards a more comprehensive approach to security that requires all users, whether in or outside the organization’s network, to be continuously authenticated, authorized and validated before being granted access to network applications and data. For organizations managing a hybrid workplace or e-commerce environment, zero-trust is the proposed answer to many of cybersecurity’s most significant problems today.
ChatGPT training built for everyone
Not only did the pandemic accelerate many organizations’ intentions to adopt the zero-trust architecture, but it has also extended into federal agencies, with the U.S. Office of Management and Budget recently sharing a government-wide strategy for adopting zero-trust architecture principles across federal agency networks.
The first step to determining if a zero-trust architecture fits your business is understanding the key elements of a zero-trust approach, security measures you should adopt and actionable steps to improve your business’s security posture.
What is zero-trust?
Before zero-trust, the assumption was that the security architecture could trust anything and anyone on the premises of a business. As work environments dramatically shift toward “work from anywhere” and migration to the cloud accelerates, it’s much harder to monitor who or what is coming in and out of your security ecosystem, including cyber threats.
Using a zero-trust security mindset, no device or end user should be trusted regardless of its operation source. This zero-trust policy extends to users, devices or workloads that exist in and outside your security ecosystem.
Zero-trust security, at its core, starts with the general statement, “no one should have automatic access to anything,” forcing all systems, code and people to request access to data and other resources. Then, decisions are made on a case-by-case basis as to whether access is granted or denied.
One real-life example of what zero-trust looks like is physical security at an office building. When an employee arrives at work, they would be required to show an ID and employee badge at the front desk to get access to the building, multifactor authentication to access their email and work applications every time they log in, badge-access to specific conference rooms or office areas, with verification of their identity and access permissions each step of the way. To make this approach truly effective in this example, employees must also be invested in zero-trust by reporting suspicious activity or people on the physical property, unlocked computer screens or people badging others into restricted areas.
Overall, the concept focuses on a strict, “trust no one” approach, ensuring that only users who need access to specific data are allowed to have it, increasing the visibility of all activity and authenticating access to all systems.
Why use zero-trust?
While zero-trust may seem cumbersome, it is an effective way to keep your data and business safe from growing cyber threats.
Arguably the most beneficial part of a zero-trust architecture is that it is a forcing function to clean up an organization’s security environment, including increasing visibility into what and who has access to different assets and environments. You can’t protect what you don’t understand or can’t track and see. Identifying and classifying all of your organization’s assets and access points can go a long way toward improving your overall security posture.
Other benefits of implementing a zero-trust strategy include:
- Increases your ability to quickly isolate threats or compromised assets
- Improves activity visibility and ability to respond quickly to threats
- Reduces the ability for an intruder to move within your organization’s environment undetected
Phishing simulations & training
Add the human element for success
In a zero-trust architecture, you may think the responsibility falls entirely on the IT or security team, but even a perfectly configured security environment and well-trained technical team is not enough for zero-trust to be a success. Successfully implementing zero-trust requires not only new integrated tools and technologies but also instituting operational policies and authentication requirements that support them.
Cybercriminals rely on employees to infiltrate organizations, with more than 80% of cyber incidents starting with the human element. By training your employees to change their security habits and adopt the “trust nothing, verify everything” mindset themselves, you can achieve an additional layer of security.
An example of when this mindset could prevent a cyber incident is within a phishing attempt, where a cybercriminal impersonates a well-trusted source to manipulate an employee to click a malicious link or share sensitive information. If an employee applies this zero-trust mindset, they’ll know to not trust this suspicious email and to verify the request with your security team or a third party.
The most effective way to address the challenge of implementing a zero-trust approach is by increasing awareness throughout your workforce with ongoing security training, security highlights in internal communications channels and security or phishing simulations. One way organizations have embedded security into their culture is by including cyber hygiene goals within their organization’s annual performance metrics.
According to Deloitte, “To enforce access control, companies must have situational awareness of their data and assets; companies that lag on basic cyber hygiene principles and practices may be challenged to realize the full benefits of zero-trust.”
By making employees more resilient against threats, your organization can significantly minimize damage if an attack occurs and reduce people-focused attacks across the ecosystem.
Getting Started
To build a zero-trust architecture, you must start with having visibility into your environment and infrastructure, and relatively good accountability of where your data is and how it’s currently being utilized and interacted with.
The largest obstacles companies most often face when implementing a zero-trust framework are a lack of data classification and segmentation, budget, availability of resources and expertise. However, with zero-trust gaining popularity, there are more resources and partners than ever before to help your business implement these security measures.
Beyond your tech stack and IT team, one low-cost, high-impact tactic every organization can do today is implementing zero-trust at the employee level. By establishing this culture of “trust nothing, verify everything,” organizations can secure a key vector that cybercriminals rely on to get into their ecosystems today. This culture of zero-trust also sets the stage for the successful adoption of zero-trust processes and technologies at a later date, because employees already understand the “why” behind these changes.
Even if a full-blown, zero-trust architecture is not attainable for your organization today, every step towards a zero-trust security strategy and mindset is a step towards a better security posture.
Phishing simulations & training
Sources
- 2022 Data Breach Investigations Report, Verizon
- Tech Trends 2021, Deloitte