You’d be hard pressed to come across an IT or security professional who hasn’t already heard of the term “Zero Trust” and how important it is to modernizing security in a hybrid work world. The recent executive order from the White House emphasizes the importance of all organizations – private and federal – to adopt a Zero Trust architecture. Although the Zero Trust concept of “never trust, always verify” is a good motto to live by, it is important to understand that, in practice, each organization has different security needs and must balance trade-offs, such as implementing the highest level of security vs. enabling users to quickly get the access they need to get work done.
This is why implementing Zero Trust can be a challenge. Various stakeholders within an organization, from IT and Security to HR and Operations, often have differing stances on which policies introduce too much friction for end-users and which ones are necessary for protecting the business from cyberattacks.
In fact, in a study conducted by CloudFlare, 76% of firms surveyed identified the complexities of user access needs as a blocker to shifting to a Zero Trust approach. Creating a comprehensive Zero Trust model can be fairly complex and often requires a lot of investment and resources to roll out successfully. That’s why a blanket approach to implementing Zero Trust does not work for most organizations. But first, in order to understand how to get started with Zero Trust, we need to cover the basics:
- What is Zero Trust and why does it matter?
- What are the key components of Zero Trust you should look at?
What is Zero Trust?
Zero Trust is one of the most effective security models for controlling access to an organization’s networks, applications, and data. Zero Trust centers around the belief that internal and external networks cannot be trusted. Therefore, organizations must grant access to users only if they have been authenticated and verified – no matter where they are located. This challenges the concept of traditional corporate perimeters and instead suggests establishing micro perimeters around resources and data so that more granular access controls can be enforced.
Zero Trust employs various techniques, such as identity verification, microsegmentation, endpoint security, and least privilege access to reduce the risk of a breach. In essence, Zero Trust emphasizes the importance of organizations to protect data from the inside out, instead of from the outside in.
4 Key Components of Zero Trust:
- Threats come from inside as well as outside
Zero Trust centers on the belief that external and internal threats exist on the network at any given time. Network locality is no longer sufficient for deciding trust in a network. In fact, a study by Cybersecurity Insiders revealed that as many as 67% of organizations experienced a confirmed insider attack over a period of 12 months, while 68% of organizations observed that insider attacks have become more frequent. Therefore, it is equally important to focus on defending against unauthorized access within your internal network, not just the threats that come from outside the network.
- Never trust, always verify
Zero Trust is the antithesis of the familiar adage “trust, but verify.” Instead, it entails that organizations should “never trust, always verify.” The idea is that you should never assume that user access can be trusted no matter where the request is coming from.. Rather, you should always verify the user is who they say they are before granting the level of access requested. For many organizations, however, they must balance high security controls with usability and user productivity. Therefore, the goal should be not to merely accept Zero Trust, but to put the necessary security controls in place to gain the visibility needed to establish true trust.
- Use microsegmentation
Building security controls around specific resources and data is one way to segment access into different micro-perimeters, which prevents an attack from causing further damage once inside the network. To achieve this, you can set up granular security policies so that only a specific group of users or groups can access a given resource. For example, users in the HR department only get access to applications, like Greenhouse and ADP, but not to any customer data in applications, like SalesForce or Marketo.
- Enforce least privilege access
The idea of granting least privilege access actually means that you’re only providing the bare minimum of access needed to get the job done. With privileges, you can be very specific with what the individual can actually do without giving them too much access. Granting a user more access than they truly need can open that account up to potential risk in the future. Granular rules are extremely important to enforce the appropriate access to sensitive data and the amount of damage an attacker can do in the event that the user’s account is compromised due to stolen credentials.
As security experts in the industry, it is our goal to help you understand what Zero Trust means for your business and identify the practical steps to get there. That’s why it’s imperative to implement a solution that does the hard work for you so that achieving your Zero Trust goals is not just a pipe dream.
Register for our upcoming Zero Trust webinar with Forrester Analyst, Steve Turner, on July 7th at 10am PT / 1pm ET, to learn more about the Zero Trust security approach and how to practically translate it to your own environment.