Dec 23, 2021
0 0

Beyond the Cyber Buzzwords: What Executives Should Know About Zero Trust

Written by

Learn about Insider
Member Preferences
BrandPosts are written and edited by members of our sponsor community. BrandPosts create an opportunity for an individual sponsor to provide insight and commentary from their point-of-view directly to our audience. The editorial team does not participate in the writing or editing of BrandPosts.
What Does “Zero Trust” Really Mean? 
Invented in 2010 by Forrester Research, Zero Trust is a cybersecurity model enterprises can leverage to remove risky, implicitly trusted interactions between users, machines and data. The Zero Trust model provides a process for organizations to protect themselves from threats no matter what vector the threat originates from—whether from across the world or from Sandy down the hall. The three main principles to follow to realize the benefits of this model were:
After 11 years, these ideas and principles have matured in the face of growing digital transformation, remote work, and bring-your-own-device proliferation. New principles have developed in light of the U.S. Federal Government mandating Zero Trust, codified in the NIST 800-207 with further details in the NCCoE’s Zero Trust Architecture. Those principles are: 
Why Is This Important in Cybersecurity? 
The move toward Zero Trust has been one of the more significant shifts in how business approaches security. Before adopting a Zero Trust mindset, most companies tried to manage security as a gated function. Once a transaction was validated in the gated area, it was innately trusted. 
This approach presents a problem because threat vectors do not always originate outside that area. Also, the world at large continues to adopt digital transformation and hybrid workforces, nullifying the concept of resources only existing behind a gate. Zero Trust methods require validating each element of every interaction continually—no matter where they occur—including all users, machines, applications, and data. There is no area of implicit trust. 
What Is the Spin Around This Buzzword? 
Many vendors today productize Zero Trust, naming their products as “Zero Trust solutions” in and of themselves, rather than acknowledging that Zero Trust is a model and strategic framework, not a product solution. When looking at the cybersecurity market, you’ll see vendors try to claim a supposed title is “THE Zero Trust player.” 
On closer inspection, however, those vendors typically only address a single principle of Zero Trust. For example, creating tunneling services between users and applications. This aligns with the second original principle: adopt a least-privileged strategy and strictly enforce access control. However, that same vendor might fail on the first principle: ensure that all resources are accessed securely, regardless of location. When they implicitly trust that the user is not a threat vector, they do not scan for malware or exploits inside the tunnel. 
Others may cover only some of the aspects of the first original principle, like trying to claim identity and authorization checks are what make Zero Trust. Vendors may also suggest that only web-based traffic needs to be scanned. However, when only partial coverage of the model is implemented, companies risk creating an implicit trust that opens them up to vulnerabilities that would be otherwise covered in the remaining principles.
Our Advice: What Should Executives Consider When Adopting Zero Trust? 
The first step is to reframe your thinking on how enterprises should be secured, moving from a gated approach to one that continuously validates all interactions. To help make that shift: 
Next, enact changes with a plan, beginning with your enterprise’s most critical users, assets, and interactions. Those will be your crown jewels and things that may be related to finance or intellectual property. Then, over time, expand your purview to include all interactions. The plan should cover how the users, applications, and infrastructure go through each of the four parts of an interaction when requesting a resource. 
The final step in this transformation is really a recurring event: maintaining and monitoring.
Questions to Ask Your Team to Successfully Adopt Zero Trust 
To learn more about what complete Zero Trust security looks like, click here.
Sponsored Links
Buyer’s Guides
Awards programs
View the archive


Article Categories:
Cloud Security

Comments are closed.