Mapping Out The Journey To Zero Trust

In recent years, Zero Trust has emerged as the gold standard cybersecurity methodology. While its principles have been discussed for a decade or more, we are now seeing a real spike in enterprises leaning into the approach – or, at least, mapping out their strategy towards Zero Trust - and solidifying how it works in practice.

This is not a moment too soon. It now seems fair to describe the continuing rise of cyber risk as inexorable. Not a week goes by without an analyst or research report announcing a new statistic about the increasing rate of attacks, the diversification of methods, or the growing financial losses being caused.

It is now clear that well-implemented, well-governed Zero Trust strategies really do mitigate the damage that a breach can cause. The problem is that anything highly valuable, whether it is a precious metal or a vital technology, is vulnerable to error, hype, and counterfeiting. Enterprises must be sure that their approach to Zero Trust, and the tools they use to enable it, really do live up to the standards that the term promises – because if they do not, an organization may in fact be left in a more vulnerable position than when they started.

Zero Trust In A Nutshell

To understand why that is the case, and how to mitigate that risk, it is worth first pulling back and summarizing what we are talking about when we talk about Zero Trust.

Many vendors now market their products with a promise of enabling, delivering, or constituting a Zero Trust approach. While there may be truth to those claims, it is important to remember that Zero Trust is, first of all, an intellectual framework rather than a technological one.

At its heart, the intellectual leap to be made is about moving away from a model that secures the network which people access assets through, and towards securing those assets themselves in a way that is agnostic about the network being used.

Assets here might be users, applications, servers, cloud platforms, data, APIs, or any other element of IT infrastructure. The ‘zero trust’ of Zero Trust lies in the fact that the authority to access those assets is never assumed, as it might be when users connect through a secured network; instead, access privileges are revalidated at each point of contact.

One consequence of this is that there is no specific route or set of technologies towards establishing Zero Trust. Indeed, different organizations will have very different operating contexts and pre-existing systems which demand different strategies to securing assets at the point of use.

Another consequence is that partial implementations can create real additional risks if not carefully managed. This is because Zero Trust means, by definition, sunsetting some traditional security approaches (though not all), raising the possibility of opening up new vulnerabilities. Given that instantaneously shifting from a classic network-restriction approach to a modern asset-protection approach is not viable, this means that adopting Zero Trust is a long term, evolutionary process.

Building Trust In Zero Trust

Along that journey, each step, initiative, or rollout will need to build holistically on progress so far. That means that it is essential to start with a roadmap to show where the organization is, where it is going, and how it collectively defines Zero Trust in order to guide its decision-making along the way.

A decade ago, any such roadmap would have had to chart a course through relatively unexplored territory. Today, happily, significantly more robust guidance is available, with standards like NIST 800-207 and the Zero Trust Commandments from The Open Group establishing transparent principles and practices that successful Zero Trust strategies should follow.

The most recent snapshot of the latter, published in August this year, takes a highly pragmatic approach of not only defining key terms and principles within the practice of Zero Trust Architecture, but also contextualizing that information from an enterprise perspective with guidance on why Zero Trust is beneficial and what it means from various non-technical perspectives.

In the future, this work will inform more granular guides and reference models to further ease effective Zero Trust implementation. It already, though, clearly answers key business considerations around things like supporting remote work, improving infrastructural agility, and responding at pace to threats and breaches.

The priorities of Zero Trust are priorities shared by almost every enterprise operating today – and this is a map that no enterprise should go without.

John Linford is Security & OTTF Forum Director at The Open Group                    Image: Oliver Le Moal 

You Might Also Read: 

To Succeed With Zero Trust, First Define Success:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Key Security Risks For Small Businesses
The Impact Of Artificial Intelligence On Cybersecurity »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

4ARMED

4ARMED

4ARMED services cover the end-to-end experience of securing modern software, from design and build through to deploy and test.

Promon

Promon

Promon is an application security vendor providing Self-Protection abilities to Mobile apps and Desktop applications.

CROW - University of Waikato

CROW - University of Waikato

CROW is the first cyber security lab established in a New Zealand educational institution at the University of Waikato.

Paramount Computer Systems

Paramount Computer Systems

Paramount is a regional leader in the Middle East for cybersecurity solutions and consulting services.

MAY Cyber Technology

MAY Cyber Technology

MAY Cyber Technology is a Security Management solutions provider located in Turkey & Germany.

HYPR

HYPR

HYPR Decentralized Authentication minimizes the risk of enterprise data breaches while providing an enhanced user experience for your customers and employees.

CloudMask

CloudMask

CloudMask patent technology provides Dynamic Data Masking (DDM) that masks sensitive data, structured or non-structured, in real-time.

Squalio

Squalio

Squalio is an information technology group that delivers solutions and services for secure and effective IT management.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

SecureData

SecureData

SecureData provide professional data recovery services, digital forensics, data recovery software and FIPS 140-2 Level 3 Validated hardware encrypted drives.

NXTsoft

NXTsoft

NXTsoft’s solutions help businesses secure, connect and optimize their data to maximize revenue opportunities, enhance profitability, and mitigate cybersecurity risk.

Future Planet Capital

Future Planet Capital

Future Planet is the impact-led, global venture capital firm built to invest in high growth potential companies from the world's top research centres.

Accops Systems

Accops Systems

Accops enables secure and instant remote access to business applications from any device and network, ensuring compliant enterprise mobility.

VENZA

VENZA

VENZA is a data protection company that can help organisations mitigate their vulnerabilities and ensure compliance, keeping guests and their data safe from breaches.

runZero

runZero

runZero delivers the most complete security visibility possible, providing you the ultimate foundation for successfully managing exposures and compliance.

Maveris

Maveris

Maveris is an IT and cybersecurity company committed to helping organizations create secure digital solutions to accelerate their mission.