As 2023 planning kicks into high gear, how many Zero Trust initiatives has your security team surfaced? Which are real Zero Trust or ones just seeking a budget home? What isn’t Zero Trust today?
Forrester Research, creator of the Zero Trust Model more than a decade ago, looks to clear up the matter. Marketing hype has co-opted the term, creating confusion and misunderstanding about the actual definition of Zero Trust and driving skepticism about its practical, real-world implementation.
In its report The Definition of Modern Zero Trust Forrester recounts the evolution of Zero Trust from 2009. The report provides a clear, concise definition of Zero Trust so security teams can cut through the noise to define what Zero Trust is, what it’s not, and what you can do to implement Zero Trust in your organization.
What can security teams take away from the report to guide their 2023 Zero Trust journey? Here’s highlights and Zero Trust initiatives that are rising to the top of CISO 2023 priorities.
From Network to Data
Make data protection a 2023 Zero Trust priority.
It’s no longer about the network, but more about data. Forrester goes so far as to state “data protection is the heart of Zero Trust”.
Data is often the real value of businesses today. By focusing on data and its movement across the digital ecosystem, Forrester creates an extended Zero Trust framework.
Data intersects with all other pillars of the Zero Trust Model – network, workloads, applications and people. Building a framework to implement Zero Trust around data covers a broad range of use cases and makes sense in today’s hybrid workplace.
Network security is typically in the background and invisible to users. As focus moves from networks to data, it’s important to present as little friction as possible, so that security is an easy choice for users.
Align to Business Drivers
Focus on tactical challenges
Past Zero Trust programs often lacked clear business benefits, too often developed around Zero Trust concepts rather than present day challenges.
The hybrid workforce and moving to the cloud are key candidates for introducing Zero Trust into sensitive file protection. Forrester notes compliance as a “secret weapon” to get organizations moving. Insider and supply chain risk, cloud misconfiguration and external threats are all in play for this dataset that’s growing exponentially.
Look to incrementally implement Zero Trust principles in tactical initiatives of immediate relevance to the business. Buy-in with well understood drivers and outcomes will get your organization on the right path to Zero Trust.
Refresh of Key Principles
Implement these updated principles in your data protection initiatives
As attacks have evolved, so has Forrester’s published principles for Zero Trust initiatives.
Principle 1. All entities are untrusted by default and access for every session continuously reviewed and informed by context. Often this context can be the posture of a device, type of workload, attributes around an identity and more.
Principle 2. Least privilege access is enforced. Users, applications, and other computing infrastructure must utilize the bare minimum access needed to perform their function.
Principle 3. Comprehensive security monitoring is implemented. Understand how users operate and assets communicate. Pair this visibility with the tools, processes, and controls required to stop, remediate, and surgically remove or isolate detected threats.
Scope your Zero Trust Data Initiative
Narrow focus for early Zero Trust Wins
Data protection encompasses a broad array of use cases and disparate technologies. Teams should narrow initiatives and look for high pay off returns that bring Zero Trust principles to enhance current solutions.
Structured databases got early attention as network micro-segmentation tightened access to stop lateral movement of threat actors. Look for tokenization and format-preserving encryption projects as next step Zero Trust initiatives in this segment.
Attention is now turning from structured to unstructured data risk as sensitive files are created, accessed, shared, and stored across the hybrid workplace, often with little visibility and control. Traditional solutions failed to scale, and data is mostly monitored rather than protected. Look for file encryption and data-in-use access controls to minimize this risk and drive toward real protection.
Avoid Rip and Replace Initiatives
Enhance data protection by building on existing solutions
Security teams today are adjusting their thinking about Zero Trust as new reference architectures, like National Institute of Standards and Technology (NIST) and Cybersecurity and Infrastructure Security Agency (CISA), present Zero Trust as a journey. The transition to Zero Trust is a strategic, multi-year process and is unique to each organization based on their enterprise architecture and risk evaluations.
It's important that Zero Trust initiatives meet your organization where you are today. Most organizations have in place some form of data loss protection solutions and are already following a subset of Zero Trust principles.
High pay-off Zero Trust enhancements include control over data in use and self-governing files that carry protection and compliance wherever they travel. Capabilities that deliver deep visibility and universal logging of data usage are even more critical today to provide rich context necessary to inform explicit access decisions.
Read the Forrester report to gain a more in-depth perspective and keep these highlighted guardrails in mind while advancing your 2023 initiatives and Zero Trust Architecture.
