Zero Trust is a business and technological strategy that protects organizations from cyber risks. The strategy focuses on applying mechanisms to authenticate users’ online interactions and to minimize unnecessary user access privileges. The objective is to transition from trusting users’ identities, to verifying them.
Zero Trust is not a product. It is a model that offers a means of gradually folding cyber security into the heart of an organization.
How did the Zero Trust model develop?
In 2010, the Zero Trust model was introduced by John Kindervag, then a VP and principal analyst for Forrester Research. In 2018, Forrester made updates to the original Zero Trust model to include people and devices. This updated version is formally referred to as The Zero Trust eXtended Ecosystem. Notably, many technology leaders merely refer to all versions as Zero Trust.
What are the core principles of Zero Trust?
The core principles of Zero Trust emphasize the use of visibility, analytics and automation to manage policies and to ensure strong security.
- Organizations must identify sensitive data: Organizations that can locate and trace the flow of their sensitive data are well-positioned to determine how to secure it. Once organizations classify and secure the data, they can better control who has access to it.
- Monitor a Zero Trust ecosystem using data analytics: Organizations are encouraged to regularly scan for malicious activity across an entire network.
- Automation and orchestration: Organizations should develop automated policies that can assist with identity verification, and application access permissions.
What are the challenges that emerge in implementing the principles of Zero Trust?
According to IDG, Zero Trust can be difficult to achieve.
- Most importantly, CISOs, CTOs, CIOs and others responsible for the actual implementation of Zero Trust principles need to dedicate a lot of time to analyzing the process, and to mapping it to their unique organization. There are numerous ways in which Zero Trust can be implemented.
- Organizations often hold a wealth of sensitive information. It can be challenging to gain visibility into legacy applications that hold such data. This is especially true in organizations that have undergone piece-meal digital transformations.
- Implementing a Zero Trust model using disparate technologies can lead to security gaps, presenting further challenges.
What are the benefits of Zero Trust?
- For many organizations, the ‘defend the castle’ or perimeter-only security approach began to crumble as hackers moved past firewalls, and easily maneuvered through internal systems. The Zero Trust model emphasis steps -such as network segmentation- that block hackers from gaining full access to internal resources.
- The ‘defend the castle’ approach omits the possibility of a malicious insider using credentials to steal or corrupt internal resources. A Zero Trust approach can effectively thwart insider threats.
- With Zero Trust, organizations no longer need to have separate policies for intranet access vs. internet access. Zero Trust allows for a more unified, consistent approach, improving the user (employee) experience.
- Can result in increased operational efficiency and overall cost reductions.
An increasing number of organizations are implementing Zero Trust policies and practices. While Zero Trust may present initial challenges, following Zero Trust principles can ultimately lead to more favorable business outcomes. For more information on Zero Trust, click here.