Mapping Out The Journey To Zero Trust

Uploaded on 2023-10-03 in NEWS-Cybersecurity News, FREE TO VIEW

In recent years, Zero Trust has emerged as the gold standard cybersecurity methodology. While its principles have been discussed for a decade or more, we are now seeing a real spike in enterprises leaning into the approach – or, at least, mapping out their strategy towards Zero Trust - and solidifying how it works in practice.

This is not a moment too soon. It now seems fair to describe the continuing rise of cyber risk as inexorable. Not a week goes by without an analyst or research report announcing a new statistic about the increasing rate of attacks, the diversification of methods, or the growing financial losses being caused.

It is now clear that well-implemented, well-governed Zero Trust strategies really do mitigate the damage that a breach can cause. The problem is that anything highly valuable, whether it is a precious metal or a vital technology, is vulnerable to error, hype, and counterfeiting. Enterprises must be sure that their approach to Zero Trust, and the tools they use to enable it, really do live up to the standards that the term promises – because if they do not, an organization may in fact be left in a more vulnerable position than when they started.

Zero Trust In A Nutshell

To understand why that is the case, and how to mitigate that risk, it is worth first pulling back and summarizing what we are talking about when we talk about Zero Trust.

Many vendors now market their products with a promise of enabling, delivering, or constituting a Zero Trust approach. While there may be truth to those claims, it is important to remember that Zero Trust is, first of all, an intellectual framework rather than a technological one.

At its heart, the intellectual leap to be made is about moving away from a model that secures the network which people access assets through, and towards securing those assets themselves in a way that is agnostic about the network being used.

Assets here might be users, applications, servers, cloud platforms, data, APIs, or any other element of IT infrastructure. The ‘zero trust’ of Zero Trust lies in the fact that the authority to access those assets is never assumed, as it might be when users connect through a secured network; instead, access privileges are revalidated at each point of contact.

One consequence of this is that there is no specific route or set of technologies towards establishing Zero Trust. Indeed, different organizations will have very different operating contexts and pre-existing systems which demand different strategies to securing assets at the point of use.

Another consequence is that partial implementations can create real additional risks if not carefully managed. This is because Zero Trust means, by definition, sunsetting some traditional security approaches (though not all), raising the possibility of opening up new vulnerabilities. Given that instantaneously shifting from a classic network-restriction approach to a modern asset-protection approach is not viable, this means that adopting Zero Trust is a long term, evolutionary process.

Building Trust In Zero Trust

Along that journey, each step, initiative, or rollout will need to build holistically on progress so far. That means that it is essential to start with a roadmap to show where the organization is, where it is going, and how it collectively defines Zero Trust in order to guide its decision-making along the way.

A decade ago, any such roadmap would have had to chart a course through relatively unexplored territory. Today, happily, significantly more robust guidance is available, with standards like NIST 800-207 and the Zero Trust Commandments from The Open Group establishing transparent principles and practices that successful Zero Trust strategies should follow.

The most recent snapshot of the latter, published in August this year, takes a highly pragmatic approach of not only defining key terms and principles within the practice of Zero Trust Architecture, but also contextualizing that information from an enterprise perspective with guidance on why Zero Trust is beneficial and what it means from various non-technical perspectives.

In the future, this work will inform more granular guides and reference models to further ease effective Zero Trust implementation. It already, though, clearly answers key business considerations around things like supporting remote work, improving infrastructural agility, and responding at pace to threats and breaches.

The priorities of Zero Trust are priorities shared by almost every enterprise operating today – and this is a map that no enterprise should go without.

John Linford is Security & OTTF Forum Director at The Open Group                    Image: Oliver Le Moal 

You Might Also Read: 

To Succeed With Zero Trust, First Define Success:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Key Security Risks For Small Businesses
The Impact Of Artificial Intelligence On Cybersecurity »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Raytheon Technologies

Raytheon Technologies

Raytheon Intelligence & Space delivers solutions that protect every side of cyber for government agencies, businesses and nations.

Virgil Security

Virgil Security

Virgil Security provides easy-to-deploy and easy-to-use cryptographic software and services for use by developers and end-users.

GuidePoint Security

GuidePoint Security

GuidePoint Security provide information security solutions that enable commercial and federal organizations to more successfully achieve their security and business goals.

CyberProof

CyberProof

CyberProof aims to give clarity and confidence to businesses worldwide using a new risk-based approach to cyber security services.

Renesas Electronics

Renesas Electronics

Renesas Electronics delivers trusted embedded design innovation with solutions that enable billions of connected, intelligent devices to enhance the way people work and live - securely and safely.

Data Theorem

Data Theorem

Data Theorem is a leading provider in modern application security. Its core mission is to analyze and secure any modern application anytime, anywhere.

Dcode

Dcode

Dcode connects the tech industry and government to drive commercial innovation in the federal market.

WisePlant

WisePlant

WisePlant's portfolio of solutions and services includes process measurement, secure automation, industrial cybersecurity, functional safety and more.

Adarma Security

Adarma Security

Adarma are specialists in threat management including SOC design, build & operation.

Detego Global

Detego Global

Detego Global are the creators of the Detego® Unified Digital Forensics Platform, a suite of modular tools used globally by military, law enforcement and intelligence agencies, and enterprises.

Mogwai Labs

Mogwai Labs

Mogwai Labs deliver cutting-edge penetration tests, security assessments and trainings, to safeguard your applications, networks and cloud environments from cyber threats.

StepSecurity

StepSecurity

StepSecurity provides a comprehensive security platform for GitHub Actions.

Robust Intelligence

Robust Intelligence

Robust Intelligence enables enterprises to secure their AI transformation with an automated solution to protect against security and safety threats.

Phone Monitoring Service

Phone Monitoring Service

Phone Monitoring Service provides cyber security services, ethical hacking services, social media hacking services in the USA, Canada, Europe.

Core42

Core42

Core42 provides a full-spectrum of AI enablement solutions covering cloud, data, cybersecurity and digital services designed for customer success.

Hakware

Hakware

Hakware is a next-generation Security Management solution offering a comprehensive OneView of your entire IT and security environment.