The advent of emerging technologies such as robotic process automation, artificial intelligence, and blockchain, as well as heightened security concerns due to the pandemic, bring new cybersecurity risks and challenges.
This evolving technology landscape has made it even more imperative for organizations to better manage cybersecurity risks and become security resilient, and many are turning to a Zero Trust approach to do this.
What is Zero Trust?
According to the National Institute of Standards and Technology (NIST), Zero Trust (ZT) refers to an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.
A Zero Trust architecture (ZTA) uses Zero Trust principles to plan industrial and enterprise infrastructure and workflows. Zero Trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership.
Zero Trust is not a tool or a new technology, but a strategic architectural concept, and should be aligned with business objectives.
Why does Zero Trust matter to an organization?
The primary goal of a solid Zero Trust strategy is to extend the control plane from the internal secure assets of the environment as far outward as possible. ZTA is all about “verify, and then trust.”
The COVID-19 pandemic has resulted in many organizations shifting to remote working due to the safety risk and government guidelines, like city lockdowns.
As a result, it has impacted nearly every organization’s cybersecurity strategy. This obviously has posed an external issue for cybersecurity leaders on how they could trust personal devices and home networks to be secured in line with the organization’s security policies and procedures.
In many cases, it has become necessary for cybersecurity leaders to consider implementing controls without trusting the resources in the interest of maintaining business continuity. However, many organizations are now reassessing these practices and transitioning where possible to a Zero Trust approach.
Implementing Zero Trust
The newly released ISO / IEC 27002:2022 Information security, cybersecurity and privacy protection – Information security controls standard provides guidance on implementing Zero Trust principles that organizations can consider, such as:
• Assuming the organization’s information systems are already breached and thus not reliant on network perimeter security alone.
• Employing a “never trust and always verify” approach for access to information systems.
• Ensuring that requests to information systems are encrypted end-to-end.
• Verifying each request to an information system as if it originated from an open, external network, even if these requests originated internally to the organization.
• Using “least privilege” and dynamic access control techniques. (e.g., authentication information, user identities, data about the user endpoint device, and data classification).
• Always authenticating requesters and always validating authorization requests to information systems based on information (e.g., enforcing strong multi-factor authentication).
Why are boardrooms supporting Identity and Zero-Trust initiatives?
Like any security initiative, Zero Trust requires commitment from the board. Zero Trust should involve the board, the chief information security officer, and other leaders to determine priorities and ensure that they will be effectively implemented across the organization.
In general, boardrooms tend to trust insiders, that is, authorized users, rather than outsiders. However, Zero Trust begins with not differentiating insiders and outsiders. An organization’s existing controls may not suffice to address new cybersecurity risks and it may need to implement additional and/or new controls.
Zero Trust is built on the premise that trust cannot be granted forever and needs to be evaluated on a continual basis. Today, many boardrooms are already driving the change and supporting identity and ZT.
Many boardrooms are convinced of the value of ZT after realizing these business benefits:
• Reduction in overall cost and expenditures.
• Reduction in the scope of requirements for compliance related to cybersecurity, as it entails accurately mapping assets, inventories, and data, which decreases the risk of unauthorized access.
• Greater control in the cloud environment through authorized workloads.
• Lower breach potential through verified and approved communications.
• Lower compliance risk.
• Business agility and speed.
• More streamlined user experience, allowing users to be less encumbered by security as part of their daily job.
In summary, achieving Zero Trust does not require the adoption of any new technologies. It’s simply a new approach to cybersecurity to “never trust, always verify,” or to eliminate any and all trust, as opposed to the more traditional perimeter-based security approach that assumes user identities have not been compromised, and all human actors are responsible and can be trusted.
Zero Trust does not eliminate trust completely but uses technologies to enforce the principle that no user and no resource has access until it has been proven it can and should be trusted—and in the process, strengthen cybersecurity defenses.