Mapping Out The Journey To Zero Trust

In recent years, Zero Trust has emerged as the gold standard cybersecurity methodology. While its principles have been discussed for a decade or more, we are now seeing a real spike in enterprises leaning into the approach – or, at least, mapping out their strategy towards Zero Trust - and solidifying how it works in practice.

This is not a moment too soon. It now seems fair to describe the continuing rise of cyber risk as inexorable. Not a week goes by without an analyst or research report announcing a new statistic about the increasing rate of attacks, the diversification of methods, or the growing financial losses being caused.

It is now clear that well-implemented, well-governed Zero Trust strategies really do mitigate the damage that a breach can cause. The problem is that anything highly valuable, whether it is a precious metal or a vital technology, is vulnerable to error, hype, and counterfeiting. Enterprises must be sure that their approach to Zero Trust, and the tools they use to enable it, really do live up to the standards that the term promises – because if they do not, an organization may in fact be left in a more vulnerable position than when they started.

Zero Trust In A Nutshell

To understand why that is the case, and how to mitigate that risk, it is worth first pulling back and summarizing what we are talking about when we talk about Zero Trust.

Many vendors now market their products with a promise of enabling, delivering, or constituting a Zero Trust approach. While there may be truth to those claims, it is important to remember that Zero Trust is, first of all, an intellectual framework rather than a technological one.

At its heart, the intellectual leap to be made is about moving away from a model that secures the network which people access assets through, and towards securing those assets themselves in a way that is agnostic about the network being used.

Assets here might be users, applications, servers, cloud platforms, data, APIs, or any other element of IT infrastructure. The ‘zero trust’ of Zero Trust lies in the fact that the authority to access those assets is never assumed, as it might be when users connect through a secured network; instead, access privileges are revalidated at each point of contact.

One consequence of this is that there is no specific route or set of technologies towards establishing Zero Trust. Indeed, different organizations will have very different operating contexts and pre-existing systems which demand different strategies to securing assets at the point of use.

Another consequence is that partial implementations can create real additional risks if not carefully managed. This is because Zero Trust means, by definition, sunsetting some traditional security approaches (though not all), raising the possibility of opening up new vulnerabilities. Given that instantaneously shifting from a classic network-restriction approach to a modern asset-protection approach is not viable, this means that adopting Zero Trust is a long term, evolutionary process.

Building Trust In Zero Trust

Along that journey, each step, initiative, or rollout will need to build holistically on progress so far. That means that it is essential to start with a roadmap to show where the organization is, where it is going, and how it collectively defines Zero Trust in order to guide its decision-making along the way.

A decade ago, any such roadmap would have had to chart a course through relatively unexplored territory. Today, happily, significantly more robust guidance is available, with standards like NIST 800-207 and the Zero Trust Commandments from The Open Group establishing transparent principles and practices that successful Zero Trust strategies should follow.

The most recent snapshot of the latter, published in August this year, takes a highly pragmatic approach of not only defining key terms and principles within the practice of Zero Trust Architecture, but also contextualizing that information from an enterprise perspective with guidance on why Zero Trust is beneficial and what it means from various non-technical perspectives.

In the future, this work will inform more granular guides and reference models to further ease effective Zero Trust implementation. It already, though, clearly answers key business considerations around things like supporting remote work, improving infrastructural agility, and responding at pace to threats and breaches.

The priorities of Zero Trust are priorities shared by almost every enterprise operating today – and this is a map that no enterprise should go without.

John Linford is Security & OTTF Forum Director at The Open Group                    Image: Oliver Le Moal 

You Might Also Read: 

To Succeed With Zero Trust, First Define Success:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Key Security Risks For Small Businesses
The Impact Of Artificial Intelligence On Cybersecurity »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Talend

Talend

Talend is a leader in cloud and big data integration software. Applications include Risk and Compliance management.

RU-CERT

RU-CERT

RU-CERT is the CSIRT / CERT team of the Russian Federation.

Payload Security

Payload Security

Payload Security's VxStream Sandbox is a fully automated malware analysis system.

I-Tracing

I-Tracing

I-TRACING are experts in IT security, specialized in legal compliance of information systems, security of information systems, and the collection of digital evidence and traces.

Backup112

Backup112

Backup112 has been delivering professional cloud backup services since 2004.

Wibu-Systems

Wibu-Systems

Wibu-Systems is a leading provider of solutions for the Digital Rights Management (DRM) and anti-piracy industry.

NovaTech Automation

NovaTech Automation

NovaTech products and services make the world’s power grids and essential process industries more reliable, efficient, sustainable and secure.

Subgraph

Subgraph

Subgraph is an open source security company, committed to making secure and usable open source computing available to everyone.

Cyber Defense Labs

Cyber Defense Labs

Cyber Defense Labs helps companies identify, mitigate and reduce risk as a trusted, reliable partner for cyber risk management.

Vintegris

Vintegris

Vintegris are a Certification Authority and manufacturer of innovative systems and applications for the full cycle of digital identity.

HKCERT

HKCERT

HKCERT is the centre for coordination of computer security incident response for local enterprises and Internet Users in Hong Kong.

British Blockchain Association (BBA)

British Blockchain Association (BBA)

British Blockchain Association (BBA) is a not-for-profit organisation that promotes evidence-based adoption of Blockchain and Distributed Ledger Technologies (DLT) across the public and private sector

Startups.be

Startups.be

Startups.be helps tech entrepreneurs to be successful by providing quality access to service providers, business partners, customers and investors.

Cyber Security Advisor

Cyber Security Advisor

Notice how sophisticated the cybersecurity market is. Think how would you pick the security provider, assess your company, and be sure of your security decisions? Cyber Security Advisor is the answer!

Mage Data

Mage Data

Mage (formerly Mentis Software) is a leading solutions provider for data security and data privacy software for global enterprises.

Reco AI

Reco AI

Reco is an identity-centric SaaS security solution that empowers organizations with full visibility into every app, identity, and their actions to control risk in their SaaS ecosystem.