Stand Down, Marketers: Zero Trust is Not a Product

It’s surprising what marketing has been able to do with such an off-putting term. In almost any context outside of security, zero trust has few, if any, positive connotations. “There is zero, I repeat, zero trust between us” is not really something most people want to hear. It’s abrasive, even aggressive.

When we start talking about zero trust in a workplace context, employees feel targeted, like they’re under observation. Privacy advocates surface as if by magic. Since trust is an integral part of the workplace ecosystem (a botanical term hijacked by corporate speak, by the way), the confusion is understandable. 

Why All the Hype with Zero Trust?

Most people, including IT leaders, see trust as important. We like to broadcast where we place that trust – even to the point that American founding fathers declared it on their currency: “In God we trust.” We trust our spouses, partners, family and close friends. It’s a part of being human that anyone who’s ever tried to persuade money out of your pocket knows well. So small wonder marketers are bending over backwards to spin out enough hype to capture non-technical audiences with a term like zero trust.  

The Latest in a Long Line of Industry-Speak Casualties

All industries have terms and jargon unique to a specific area of expertise. These are often hijacked by big picture thinkers fresh from the weekend management seminar – think Michael Scott (or David Brent). They talk about bandwidth, pinging contacts, working in silos, crossed lines (telephone wires?), open doors and running it up the flagpole. Then there’s the person who promises to circle back, even when their path is linear and in the opposite direction.

So, What Is Zero Trust?

Zero trust is a security term. It’s an approach to protecting digital assets from attack; it’s not about becoming jaded with literally zero trust for anyone, but about zero assumptions of automatic trust based on factors like location (inside or outside of the network perimeter), user or device. Zero implicit trust didn’t have the same ring, not to mention an unfortunate acronym. So zero trust was born. It’s a strategy, a mindset, a belief system – however you wish to classify it as long as you understand that it’s an evolving strategy to combat evolving threats. 

Why the Need for a New Approach?

The shifts to the cloud, remote work, bring your own device (BYOD) policies and the internet of things (IoT) mean it’s no longer effective to simply secure a network perimeter and assume that any activity within is trusted. The zero trust mantra of “never trust, always verify” has clear appeal to IT security professionals. Zero trust can reduce organizational risk from hacking, human error and shadow IT, to name a few. 

Since 100% security is a known fallacy, when IT teams implement zero trust correctly, they can keep existing security solutions, like ones that enforce least privileged access and roles-based access controls. But zero trust supplements these “traditional” solutions with a focus on automated solutions that recognize deviations from normal activities, even when users, devices, networks and workloads (in terms of data traffic) are properly verified. 

What Zero Trust is Not

To recap, we can’t emphasize enough what zero trust is not:

  • Zero trust is not a product. It is not a solution that says whether or not users or devices can access a network. But implementing zero trust means requiring authorization and authentication of every user session
  • Zero trust is not an off-the-shelf proposition. Implementation will vary by organization, based on IT infrastructure and specific data protection challenges. 
  • Zero trust is not based on perimeter security. Organizations no longer have an easily-defined security perimeter.
  • Zero trust is not an underhanded way to spy on employees. Instead, it’s an evolving strategy to prevent hackers and malicious insiders from taking advantage of earlier security strategies that relied on the trust given to devices and users inside the network. 
  • Zero trust is not just for large enterprises. Organizations of all sizes can benefit from this security strategy. 

Protect the Modern Enterprise With Zero Trust Principles

Don’t be put off by the cold, heartless term ‘zero trust.’ Instead, take it onboard, run it up the flagpole and encourage a new sweet spot for your organization. Imagine your results-driven future as a thought leader, pushing super mission-critical solutions for the next generation of risk-averse solutions and services. Most of all, and don’t lose this in the weeds, not leveraging zero trust can lead to negative growth and significant downsizing from the damage of a data breach. Got all that? Any questions? Our doors, windows and skylights are always open as we trust our neighbors implicitly. Oops!

Brought to You by

What’s Hot on Infosecurity Magazine?