Zero trust is a security framework that takes a ‘never trust, always verify’ approach. Parties attempting to access IT resources must first prove their identity and authority to do so.

The roots of zero trust can be traced back to 2004, when an international group of CISOs known as the Jericho Forum first started conversations around the concept of ‘de-perimeterisation’. Forrester analyst John Kindervag later developed a more formal zero trust security framework in 2010, but it was when Google adopted the model in 2014 and began publishing their journey under the name of BeyondCorp, that it started to gain mainstream acceptance.

In the wake of high-profile cyber attacks such as those that affected Optus, Medibank, and Latitude Financial, the importance of zero trust has come under a renewed spotlight. Unfortunately, in some cases, companies such as the ones just mentioned fell victim to an attack even though they had other sophisticated security measures in place and were meeting current compliance frameworks.

Unfortunately, many Australian organisations still tend to take the traditional “she’ll be right” attitude when it comes the adoption of zero trust. Many appear content to wait for legislation that compels them to make investments in the tools required to make the concept a reality.

Other challenges also abound, as reported by Forrester Consulting. The company recently undertook a survey of IT decision-makers across Australia and New Zealand that found that while 46% of organisations are interested in adopting the strategy, internal teams were facing the usual issues of a lack of time or expertise to effectively make use of zero trust.

Whilst 83% of decision-makers see zero trust as the future of their organisation’s security, only 52% of security teams and 40% of operational business or technology teams were seen as supporters at the outset of zero trust implementations.

This is somewhat different from attitudes in the United States. There, President Biden issued an executive order back in 2021 that requires all government agencies to make zero trust a part of their security posture. Similar moves are taking place in Europe.

Another barrier to widespread adoption of zero trust is the fact that many cyber security vendors have taken the term and linked it to their product names. They claim that if an organisation buys their product they will be zero trust compliant, which is simply not true. Zero trust is a strategy or framework and not a single product.

The benefits of zero trust adoption

While adoption of zero trust in Australia could be driven faster, there is growing understanding of the significant security benefits such a strategy can deliver. It can allow organisations to build upon their existing security frameworks and provide significantly greater protection.

It does this by providing micro security perimeters around key IT assets. Unless a user can demonstrate they have permission to access those assets, access will be denied.

This approach is a mindset change from more traditional, perimeter-based security strategies. In those cases, unauthorised parties were kept out of a firewalled environment while authorised parties were free to access any resources they required.

In recent years, this approach has become increasingly unviable. Rather than sitting in a secure data centre behind a firewall, IT assets are now just as likely to be in a cloud environment. Users, most of whom would have previously worked from a central office, are now regularly connecting from home.

Embracing the strategy

Zero trust is also appealing for increasing numbers of organisations because it does not require a ‘big bang’ approach to its adoption. Security teams can adopt a modular strategy where the most important IT assets are ringfenced first before attention is turned to other areas.

One popular strategy involves segmenting an organisation’s IT infrastructure into a number of groups including data, devices, users and workspaces. Zero trust can be deployed to each in turn with overall security gradually improving.

Zero trust also augments any perimeter protection measures an organisation might have in place. If a cyber criminal is able to breach those measures, they will still find it very difficult to access the resources and systems they are seeking.

This approach is appealing when you consider that a significant number of security incidents occur as a result of stolen user credentials. Even if a criminal has been able to obtain credentials, their movement within the target infrastructure will be limited.

To be truly effective, zero trust must also be supported by a range of prevention-first security measures that have been incorporated into an organisation’s IT infrastructure. These measures proactively guard against and prevent intrusion and attacks before they are able to breach through a company’s defences and in this way, reduce the chances of loss and disruption.

An effective prevention-first security strategy needs to have three core attributes. It must be comprehensive to protect against a wide variety of cyber threats, consolidated to reduce complexity and increase protection, and collaborative so that all security measures work together as a cohesive whole.

Ongoing evolution

Since its inception in the early 2000’s, zero trust has undergone constant evolution and this is unlikely to stop any time soon. The mainstream emergence of concepts such as generative artificial intelligence will cause organisations to rethink their security measures and make use of zero trust strategies in new ways.

It’s clear that zero trust has much to offer organisations as they seek to improve their levels of protection against the rising tide of cyber threats. Indeed, the Australian Signals Directorate in conjunction with all Five Eyes cyber security agencies including the FBI and NSA, has recently released a joint cyber security advisory on the topic of 2022 Top Routinely Exploited Vulnerabilities with recommendations on how to mitigate them. This includes recommendations on implementing a zero trust architecture to block lateral movement by controlling access to applications, devices and databases.

Consider making it part of your future security strategy. For more cyber strategy insights, please see CyberTalk.org’s past coverage. Lastly, to receive more timely cyber security insights and cutting-edge analyses, please sign up for the cybertalk.org newsletter.