What Is zero-trust security, and should your business adopt it?
When I started in cybersecurity over 20 years ago, the focus was on minimizing the attack surface or ways that a threat actor could get in. Since then, a lot has changed, including our approach to mitigating cyber risk and protecting data and digital ecosystems.
Today, a new focus is on a zero-trust security architecture.
The zero-trust architecture goes beyond the traditional “trust but verify” approach towards a more comprehensive approach to security that requires all users, whether in or outside the organization’s network, to be continuously authenticated, authorized and validated before being granted access to network applications and data. For organizations managing a hybrid workplace or e-commerce environment, zero-trust is the proposed answer to many of cybersecurity’s most significant problems today.
ChatGPT training built for everyone
Not only did the pandemic accelerate many organizations’ intentions to adopt the zero-trust architecture, but it has also extended into federal agencies, with the U.S. Office of Management and Budget recently sharing a government-wide strategy for adopting zero-trust architecture principles across federal agency networks.
The first step to determining if a zero-trust architecture fits your business is understanding the key elements of a zero-trust approach, security measures you should adopt and actionable steps to improve your business’s security posture.
What is zero-trust?
Before zero-trust, the assumption was that the security architecture could trust anything and anyone on the premises of a business. As work environments dramatically shift toward “work from anywhere” and migration to the cloud accelerates, it’s much harder to monitor who or what is coming in and out of your security ecosystem, including cyber threats.
Using a zero-trust security mindset, no device or end user should be trusted regardless of its operation source. This zero-trust policy extends to users, devices or workloads that exist in and outside your security ecosystem.
Zero-trust security, at its core, starts with the general statement, “no one should have automatic access to anything,” forcing all systems, code and people to request access to data and other resources. Then, decisions are made on a case-by-case basis as to whether access is granted or denied.
One real-life example of what zero-trust looks like is physical security at an office building. When an employee arrives at work, they would be required to show an ID and employee badge at the front desk to get access to the building, multifactor authentication to access their email and work applications every time they log in, badge-access to specific conference rooms or office areas, with verification of their identity and access permissions each step of the way. To make this approach truly effective in this example, employees must also be invested in zero-trust by reporting suspicious activity or people on the physical property, unlocked computer screens or people badging others into restricted areas.
Overall, the concept focuses on a strict, “trust no one” approach, ensuring that only users who need access to specific data are allowed to have it, increasing the visibility of all activity and authenticating access to all systems.
Why use zero-trust?
While zero-trust may seem cumbersome, it is an effective way to keep your data and business safe from growing cyber threats.
Arguably the most beneficial part of a zero-trust architecture is that it is a forcing function to clean up an organization’s security environment, including increasing visibility into what and who has access to different assets and environments. You can’t protect what you don’t understand or can’t track and see. Identifying and classifying all of your organization’s assets and access points can go a long way toward improving your overall security posture.
Other benefits of implementing a zero-trust strategy include:
- Increases your ability to quickly isolate threats or compromised assets
- Improves activity visibility and ability to respond quickly to threats
- Reduces the ability for an intruder to move within your organization’s environment undetected
ChatGPT training built for everyone
Add the human element for success
In a zero-trust architecture, you may think the responsibility falls entirely on the IT or security team, but even a perfectly configured security environment and well-trained technical team is not enough for zero-trust to be a success. Successfully implementing zero-trust requires not only new integrated tools and technologies but also instituting operational policies and authentication requirements that support them.
Cybercriminals rely on employees to infiltrate organizations, with more than 80% of cyber incidents starting with the human element. By training your employees to change their security habits and adopt the “trust nothing, verify everything” mindset themselves, you can achieve an additional layer of security.
An example of when this mindset could prevent a cyber incident is within a phishing attempt, where a cybercriminal impersonates a well-trusted source to manipulate an employee to click a malicious link or share sensitive information. If an employee applies this zero-trust mindset, they’ll know to not trust this suspicious email and to verify the request with your security team or a third party.
The most effective way to address the challenge of implementing a zero-trust approach is by increasing awareness throughout your workforce with ongoing security training, security highlights in internal communications channels and security or phishing simulations. One way organizations have embedded security into their culture is by including cyber hygiene goals within their organization’s annual performance metrics.
According to Deloitte, “To enforce access control, companies must have situational awareness of their data and assets; companies that lag on basic cyber hygiene principles and practices may be challenged to realize the full benefits of zero-trust.”
By making employees more resilient against threats, your organization can significantly minimize damage if an attack occurs and reduce people-focused attacks across the ecosystem.
Getting Started
To build a zero-trust architecture, you must start with having visibility into your environment and infrastructure, and relatively good accountability of where your data is and how it’s currently being utilized and interacted with.
The largest obstacles companies most often face when implementing a zero-trust framework are a lack of data classification and segmentation, budget, availability of resources and expertise. However, with zero-trust gaining popularity, there are more resources and partners than ever before to help your business implement these security measures.
Beyond your tech stack and IT team, one low-cost, high-impact tactic every organization can do today is implementing zero-trust at the employee level. By establishing this culture of “trust nothing, verify everything,” organizations can secure a key vector that cybercriminals rely on to get into their ecosystems today. This culture of zero-trust also sets the stage for the successful adoption of zero-trust processes and technologies at a later date, because employees already understand the “why” behind these changes.
Even if a full-blown, zero-trust architecture is not attainable for your organization today, every step towards a zero-trust security strategy and mindset is a step towards a better security posture.
Phishing simulations & training
Sources
- 2022 Data Breach Investigations Report, Verizon
- Tech Trends 2021, Deloitte
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
In this Series
- What Is zero-trust security, and should your business adopt it?
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
- Cybersecurity and Windows 11: What you need to know
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization