Zero trust isn’t something you can just buy; you need to build it consistently across your organization. In a recent report, Cisco said nearly 90% of organizations have begun embracing zero trust security. But of the 4,700 global information security professionals questioned only 2% said they have mature deployments, with the majority (86.5%) starting to implement some aspects of zero trust.
So, where and how should organizations start with zero trust?
Zero trust is a popular marketing catchphrase for IT security companies but it can be hard to pin down the meaning. That’s because zero trust is not simply a solution you can buy, it is more like a plan for rethinking basic security assumptions. The current interest in it reflects a broader cultural change where businesses and authorities are hardening their attitudes to all kinds of risk.
Zero trust is a security strategy which encapsulates a set of security principles, including:
- Verify every time
- Use least privilege for access
- Assume a breach has already occurred
Ultimately, the zero trust approach builds on the concept of privileged access management and adds more layers of security to build 365-degree protection. In a world where security threats have created deep paranoia, IT professionals need to remove implicit “trust” wherever possible. So, the approach becomes “never trust, always verify”.
Head of Cyber Security, CSI Ltd.
Zero Trust as a framework for an IT security architecture
Zero trust is best defined as a framework to secure a complex network from internal and external threats, particularly where many security incidents come from the misuse of user credentials.
IBM explains Zero Trust as a philosophy where it is assumed that every user and every connection is a threat, and so the corporate network needs defense against these potential risks. It includes several security measures to provide continuous network monitoring and validation to ensure that every user has the correct privileges and attributes:
- Logs and inspects all corporate network traffic
- Limits and controls access to the network
- Verifies and secures network resources
Zero trust is, therefore, a framework where authentication, authorization and validation are used to secure users’ access from inside and outside of the network, and this includes cloud-based connections and remote workers. It manages the permissions given to every device, the applications they can run and the data they can access, save, encrypt and transport.
A zero trust approach is recommended because now, with increased remote working and so many organizations relying on the cloud for their networks, the traditional network edge has eroded and there is a more diverse mix of users, technologies and applications which needs to be secured.
Even more challenging is how traditional security policies and tools are less effective across modern IT environments, and this creates a new headache for security professionals.
Best practice for IT security in the cloud
Zero trust is fundamentally different to traditional privileged access management which only addresses the security of users within the network and does not guard against cases where a user’s credentials are misused. A zero trust approach should also secure the network from risks coming from the wider cloud-based environment.
Threats are increasing daily
Cyber security threats have increased to new levels since 2023, with a worrying new surge in state-sponsored cyber activities targeting institutions. Phishing remains the greatest threat, causing 90% of data breaches. Microsoft mitigated an average of 1,435 distributed denial of service attacks each day in 2022, thought to be an increase of 67%. From 2023 there have been 300,000 new malware incidents each day, attempting to gain unauthorized access or disrupt IT systems. While Gartner predicts that 45% of organizations will suffer a supply chain cyber attack by 2025.
So, why with these frightening statistics are organizations so slow to adopt zero trust?
It’s because zero trust needs a new security paradigm which requires time, resource, skills and the right products. Many organisations are looking at zero trust in the context of their own cloud-connected architectures where an extended network uses public and hybrid cloud and remote working. They often have fixed compliance needs. They will typically have a mixed estate and their legacy architecture doesn’t easily support the ideas in the zero trust model. It may not support modern authentication methods or secure protocol. It may seem that a whole new security architecture is required.
Added to this, IT security specialists are often fully occupied with ongoing monitoring and managing the response to alerts. There’s a concern that adding more products would make the whole set-up more complex to manage and maintain.
Identity is key
Increasingly, and as more market research surfaces, analysts are building connections between breaches and compromised and abused privileged credentials. A reported 80% of breaches are targeting user credentials, therefore, businesses should look to have a robust identity strategy at the top of their agenda. With digital transformation projects, enterprises are faced with controlling data access and security for their own employees, contractors, suppliers, customers, and devices.
Identity is the ‘new’ perimeter in a cloud-native world. Allowing credentials without challenge or validation goes against best practices and industry wisdom, exposing an organisation to greater risk. Identity, as a shorthand for managing and validating user access and privileges, remains the only constant in today’s way of working.
Finding a feasible way to build zero trust
A zero trust policy can be broken down into a number of smaller, manageable parts based on NIST’s five stage security model. Vulnerability scanning, attack surface management and asset management can be grouped are all tasks under the ‘identifying’ stage. Identity management and SSO / MFA come under the ‘protect’ umbrella. Anti-malware / EDR, SIEM, MDR services and Log Management all come under the ‘detect’ umbrella.
For each stage in the model there are one or more cybersecurity tools such as risk-based multi-factor authentication, identity protection, end-point security and encryption that can be utilized to build that section of the security architecture. It’s useful to bring clarity and define an approach that will deliver on the zero trust ambition.
The most practical approach is to leverage the model to build zero trust around the technology and managed services that you already have in place and do as much as you can with these.
Key to success is to assemble a suite of tools from best-of-breed vendors to deliver against the zero trust model without adding unnecessary complexity. You should choose tools that dovetail together and that once in operation will provide a series of levers you can use to manage your zero trust policy on a day by day basis. Once you have these in place you will be better protected and considerably reduce your risk of a cyber security breach.
We’ve listed the best online cybersecurity course.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro