Mapping Out The Journey To Zero Trust

In recent years, Zero Trust has emerged as the gold standard cybersecurity methodology. While its principles have been discussed for a decade or more, we are now seeing a real spike in enterprises leaning into the approach – or, at least, mapping out their strategy towards Zero Trust - and solidifying how it works in practice.

This is not a moment too soon. It now seems fair to describe the continuing rise of cyber risk as inexorable. Not a week goes by without an analyst or research report announcing a new statistic about the increasing rate of attacks, the diversification of methods, or the growing financial losses being caused.

It is now clear that well-implemented, well-governed Zero Trust strategies really do mitigate the damage that a breach can cause. The problem is that anything highly valuable, whether it is a precious metal or a vital technology, is vulnerable to error, hype, and counterfeiting. Enterprises must be sure that their approach to Zero Trust, and the tools they use to enable it, really do live up to the standards that the term promises – because if they do not, an organization may in fact be left in a more vulnerable position than when they started.

Zero Trust In A Nutshell

To understand why that is the case, and how to mitigate that risk, it is worth first pulling back and summarizing what we are talking about when we talk about Zero Trust.

Many vendors now market their products with a promise of enabling, delivering, or constituting a Zero Trust approach. While there may be truth to those claims, it is important to remember that Zero Trust is, first of all, an intellectual framework rather than a technological one.

At its heart, the intellectual leap to be made is about moving away from a model that secures the network which people access assets through, and towards securing those assets themselves in a way that is agnostic about the network being used.

Assets here might be users, applications, servers, cloud platforms, data, APIs, or any other element of IT infrastructure. The ‘zero trust’ of Zero Trust lies in the fact that the authority to access those assets is never assumed, as it might be when users connect through a secured network; instead, access privileges are revalidated at each point of contact.

One consequence of this is that there is no specific route or set of technologies towards establishing Zero Trust. Indeed, different organizations will have very different operating contexts and pre-existing systems which demand different strategies to securing assets at the point of use.

Another consequence is that partial implementations can create real additional risks if not carefully managed. This is because Zero Trust means, by definition, sunsetting some traditional security approaches (though not all), raising the possibility of opening up new vulnerabilities. Given that instantaneously shifting from a classic network-restriction approach to a modern asset-protection approach is not viable, this means that adopting Zero Trust is a long term, evolutionary process.

Building Trust In Zero Trust

Along that journey, each step, initiative, or rollout will need to build holistically on progress so far. That means that it is essential to start with a roadmap to show where the organization is, where it is going, and how it collectively defines Zero Trust in order to guide its decision-making along the way.

A decade ago, any such roadmap would have had to chart a course through relatively unexplored territory. Today, happily, significantly more robust guidance is available, with standards like NIST 800-207 and the Zero Trust Commandments from The Open Group establishing transparent principles and practices that successful Zero Trust strategies should follow.

The most recent snapshot of the latter, published in August this year, takes a highly pragmatic approach of not only defining key terms and principles within the practice of Zero Trust Architecture, but also contextualizing that information from an enterprise perspective with guidance on why Zero Trust is beneficial and what it means from various non-technical perspectives.

In the future, this work will inform more granular guides and reference models to further ease effective Zero Trust implementation. It already, though, clearly answers key business considerations around things like supporting remote work, improving infrastructural agility, and responding at pace to threats and breaches.

The priorities of Zero Trust are priorities shared by almost every enterprise operating today – and this is a map that no enterprise should go without.

John Linford is Security & OTTF Forum Director at The Open Group                    Image: Oliver Le Moal 

You Might Also Read: 

To Succeed With Zero Trust, First Define Success:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Key Security Risks For Small Businesses
The Impact Of Artificial Intelligence On Cybersecurity »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Trend Micro

Trend Micro

Trend Micro is a leader in hybrid cloud, endpoint, and network security solutions.

Cyber Security Recruiters

Cyber Security Recruiters

Cyber Security Recruiters is a niche recruiting firm who finds impact players for our clients in the Information Security Space.

Nullcon

Nullcon

Nullcon provides an integrated platform for exchanging information on the latest attack vectors, zero-day vulnerabilities and unknown threats.

Compnet

Compnet

Compnet is a service company that assists customers in integrating complete ICT systems including network infrastructure and security solutions.

Lirex

Lirex

Lirex offer consulting and outsourcing services, complete design, construction and maintenance of ICT solutions and systems including cybersecurity.

CTM360

CTM360

CTM360 is a unified external security platform offering 24x7x365 Cyber Threat Management for detecting and responding to cyber threats.

Swascan

Swascan

Swascan is the first all-in-one, GDPR Compliant, Cloud Security Suite Platform. GDPR Assessment, Web Application Scan, Network Scan, Code Review.

Arkose Labs

Arkose Labs

Arkose Labs' Fraud and Abuse Platform combines Telemetry and adaptive Enforcement Challenges to break down the ROI of fraudsters and protect digital businesses.

Key Cyber Solutions

Key Cyber Solutions

Key Cyber is an IT consulting firm that specializes in agile software development services, program management and infrastructure services, cyber security and cloud and managed services.

Inveteck Global

Inveteck Global

Inveteck Global is a Ghana-based cyber security firm providing strategic guidance and technical solutions to all our clients to best serve their individual needs.

In Fidem

In Fidem

In Fidem specializes in information security management, with a bold approach that views cybersecurity as a springboard to organizational transformation rather than a barrier to innovation.

Intaso

Intaso

Intaso are a boutique head hunting and talent solution firm with specialist Cyber and Information Security expertise.

AdvIntel

AdvIntel

AdvIntel is a next-generation threat prevention and loss prevention company launched by a team of certified investigators, reverse engineers, and security experts.

Space Hellas

Space Hellas

Space Hellas is a dynamic, established System Integrator and Value Added Solutions Provider, holding a leading position in the high technology arena.

NPCERT

NPCERT

NPCERT is a team of Information Security experts formed to address the urgent need for the protection of national information and growing cybersecurity threat in Nepal.

e-Safer

e-Safer

e-Safer's mission is to provide solutions and services that ensure a safer digital environment.