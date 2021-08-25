Zero Trust: Essential in the Modern World

As interest in zero trust intensifies, organizations must understand what it is in order to gain the benefits that it is capable of delivering. Organizations should recognize zero trust as a security strategy that can better address the fast-moving and rapid change currently happening across all sectors and industries.

Zero trust is more suitable for protecting and securing critical data, information and systems than the traditional approaches to network security. Organizations can better understand zero trust through three distinct layers:

1: Adopting a Zero Trust Security Strategy

Zero trust is a fundamental shift in organizational mindset, built on the tenet of verifying but never trusting. It looks to reduce the risk associated with lateral movement, regardless of whether an access request or packet originates from outside or inside the organization’s network. Unlike the traditional perimeter-centric focus on security, zero trust is driven by a data-centric approach to protecting organizational resources, including critical data, assets, applications and services referred to within the context of zero trust as a protect surface.

To reap the benefits of zero trust, organizations must re-evaluate the role of security in their organization’s culture. By adopting a zero trust strategy, organizations will have better knowledge of the business environment and organizational resources, allowing them to better align their security practices and behaviors with their mission and operational needs. This way of thinking will help reduce silos and provide a strong foundation for a more holistic and deeper understanding of security in the business context.

Zero trust can help an organization move away from a security culture that is pushed outward from an information security team or function and towards a culture of security that is understood and facilitated by all areas of the business. This fact will leave employees, senior leadership and stakeholders better prepared for, and better protected from, a growing number of threats.

2: Implementing a Zero Trust Operational Environment

Once an organization has chosen to adopt a zero trust strategy and the relevant parties have carried out initial activities to understand its current security posture better, it will need to look at implementing zero trust from a technical perspective.

Zero Trust Network Architecture (ZTNA) refers to the operational environment that an organization will design for putting a zero trust strategy into practice. Unlike a traditional network, the ZTNA

builds upon a data-centric way of thinking about security, one that provides a far greater level of granularity of security controls. This method of designing network security offers the organization a dynamic, contextually driven and detailed way of securing resources.

A ZTNA offers the potential for a more resilient and robust operating environment for organizations, providing the ability to focus on protecting discrete resources while also reducing the friction on routine work activities typically disrupted by cumbersome security practices.

3: Applying Security Tools and Controls

The final component for organizations to consider when adopting and implementing zero trust is applying security tools and controls to help build out the ZTNA to maximize the adequate protection of organizational resources. Many of the tools and controls used to implement a ZTNA are already widely available, and, in many cases, organizations already use them. However, the shift in mindset away from a perimeter-centric security approach towards a data-centric one means these tools and controls become far more efficient and effective.

For example, organizations can implement identity access management tools such as multi-factor authentication, privileged access management and least privilege access to create a set of controls that can be combined to create context-based, least-privilege access. This approach provides only the necessary resources needed for an individual to perform their role. The approach can be further enhanced by architecting the zero trust network with micro-segmentation and software-defined perimeter tools. Context-based, least-privilege access can even be adjusted through automated processes based on the resource(s) needed for one-off projects and tasks.

Organizations looking to adapt to an ever-changing security environment alongside other business, societal, financial and regulatory factors, will benefit hugely from zero trust. While nobody knows what the future holds, the effective adoption and implementation of zero trust will leave organizations better prepared to face the growing complexity, novelty and diversity of threats that are likely to continue over the coming years.