Mapping Out The Journey To Zero Trust

Uploaded on 2023-10-03 in NEWS-Cybersecurity News, FREE TO VIEW

In recent years, Zero Trust has emerged as the gold standard cybersecurity methodology. While its principles have been discussed for a decade or more, we are now seeing a real spike in enterprises leaning into the approach – or, at least, mapping out their strategy towards Zero Trust - and solidifying how it works in practice.

This is not a moment too soon. It now seems fair to describe the continuing rise of cyber risk as inexorable. Not a week goes by without an analyst or research report announcing a new statistic about the increasing rate of attacks, the diversification of methods, or the growing financial losses being caused.

It is now clear that well-implemented, well-governed Zero Trust strategies really do mitigate the damage that a breach can cause. The problem is that anything highly valuable, whether it is a precious metal or a vital technology, is vulnerable to error, hype, and counterfeiting. Enterprises must be sure that their approach to Zero Trust, and the tools they use to enable it, really do live up to the standards that the term promises – because if they do not, an organization may in fact be left in a more vulnerable position than when they started.

Zero Trust In A Nutshell

To understand why that is the case, and how to mitigate that risk, it is worth first pulling back and summarizing what we are talking about when we talk about Zero Trust.

Many vendors now market their products with a promise of enabling, delivering, or constituting a Zero Trust approach. While there may be truth to those claims, it is important to remember that Zero Trust is, first of all, an intellectual framework rather than a technological one.

At its heart, the intellectual leap to be made is about moving away from a model that secures the network which people access assets through, and towards securing those assets themselves in a way that is agnostic about the network being used.

Assets here might be users, applications, servers, cloud platforms, data, APIs, or any other element of IT infrastructure. The ‘zero trust’ of Zero Trust lies in the fact that the authority to access those assets is never assumed, as it might be when users connect through a secured network; instead, access privileges are revalidated at each point of contact.

One consequence of this is that there is no specific route or set of technologies towards establishing Zero Trust. Indeed, different organizations will have very different operating contexts and pre-existing systems which demand different strategies to securing assets at the point of use.

Another consequence is that partial implementations can create real additional risks if not carefully managed. This is because Zero Trust means, by definition, sunsetting some traditional security approaches (though not all), raising the possibility of opening up new vulnerabilities. Given that instantaneously shifting from a classic network-restriction approach to a modern asset-protection approach is not viable, this means that adopting Zero Trust is a long term, evolutionary process.

Building Trust In Zero Trust

Along that journey, each step, initiative, or rollout will need to build holistically on progress so far. That means that it is essential to start with a roadmap to show where the organization is, where it is going, and how it collectively defines Zero Trust in order to guide its decision-making along the way.

A decade ago, any such roadmap would have had to chart a course through relatively unexplored territory. Today, happily, significantly more robust guidance is available, with standards like NIST 800-207 and the Zero Trust Commandments from The Open Group establishing transparent principles and practices that successful Zero Trust strategies should follow.

The most recent snapshot of the latter, published in August this year, takes a highly pragmatic approach of not only defining key terms and principles within the practice of Zero Trust Architecture, but also contextualizing that information from an enterprise perspective with guidance on why Zero Trust is beneficial and what it means from various non-technical perspectives.

In the future, this work will inform more granular guides and reference models to further ease effective Zero Trust implementation. It already, though, clearly answers key business considerations around things like supporting remote work, improving infrastructural agility, and responding at pace to threats and breaches.

The priorities of Zero Trust are priorities shared by almost every enterprise operating today – and this is a map that no enterprise should go without.

John Linford is Security & OTTF Forum Director at The Open Group                    Image: Oliver Le Moal 

You Might Also Read: 

To Succeed With Zero Trust, First Define Success:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Key Security Risks For Small Businesses
The Impact Of Artificial Intelligence On Cybersecurity »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Trustwave

Trustwave

Trustwave is a leader in managed detection and response (MDR), managed security services (MSS), consulting and professional services, database security, and email security.

Agari

Agari

Agari is the Trusted Email Identity Company™, protecting brands and people from devastating phishing and socially-engineered attacks.

CryptTalk

CryptTalk

CryptTalk is an easy-to-use secure communication service.

Custodio Technologies

Custodio Technologies

Custodio Technologies was established as a Singaporean R&D Centre of Israel Aerospace Industries (IAI) in order to spearhead R&D activities in the field of cyber early warning.

IoTsploit

IoTsploit

IoTsploit provides 20/20 visibility of network connections, protecting critical infrastructure assets from IoT vulnerabilities.

Cloudentity

Cloudentity

Cloudentity combines Identity for all things with API and Application security in a unique deployment model, combining cloud-transformation and legacy systems.

ePlus

ePlus

ePlus designs and delivers effective, integrated cybersecurity programs centered on culture and technology, aimed at mitigating business risk and empowering digital transformation.

LOGbinder

LOGbinder

LOGbinder eliminates blind spots in security intelligence for endpoints and applications.

INE

INE

INE is a premier provider of Technical Training for the IT industry.

National Institute for Research & Development in Informatics (ICI Bucharest) - Romania

National Institute for Research & Development in Informatics (ICI Bucharest) - Romania

ICI Bucharest is the most important institute in the field of research, development and innovation in information and communication technology (ICT) in Romania.

Grindstone Ventures

Grindstone Ventures

Grindstone Ventures is a post-seed fund that supports post-seed equity and quasi-equity investments in early-stage innovation-driven and/or technology companies.

Accenture

Accenture

Accenture is a leading global professional services company providing a range of strategy, consulting, digital, technology & operations services and solutions including cybersecurity.

B2Bcert

B2Bcert

B2BCERT one of the top companies offering ISO 9001, ISO 14001, ISO 45001, ISO 22000, ISO 27001, ISO 20000,CE Marking, HACCP, and other globally accepted standards and Management solutions.

Secuvy

Secuvy

Secuvy leads in data security, privacy, compliance, and governance, offering a unified platform for proactive data discovery, management, protection, and enhanced data value.

Hack-X Security

Hack-X Security

Hack-X Security provide IT risk assessment and Digital Security Services. We are a trusted standard for businesses that must protect their data from cyber-attacks.

CODA Intelligence

CODA Intelligence

CODA's AI-powered attack surface management platform helps you sort out the important remediations needed in order to avoid exploits on your systems.