Zero trust is not something that can simply be bought; You must develop it consistently throughout your organization. In a recent report, Cisco said that nearly 90% of organizations have begun adopting zero trust security. But of the 4,700 global information security professionals surveyed, only 2% said they had mature implementations, and the majority (86.5%) have started implementing some aspects of zero trust.
So where and how should zero trust organizations start?
Zero trust is a popular marketing slogan among IT security companies, but it can be difficult to pin down the meaning. This is because zero trust is not simply a solution that can be purchased, but rather a plan to rethink basic security assumptions. The current interest in it reflects a broader cultural change in which companies and authorities are toughening their attitudes to all types of risks.
Zero trust is a security strategy that encapsulates a set of security principles, including:
- Check every time
- Use least privilege to access
- Suppose a violation has already occurred
Ultimately, the zero trust approach builds on the concept of privileged access management and adds more layers of security to create 365-degree protection. In a world where security threats have created deep paranoia, IT professionals must eliminate implicit “trust” wherever possible. So the approach is “never trust, always verify.”
Head of Cyber Security, CSI Ltd.
Zero Trust as a framework for an IT security architecture
Zero trust is best defined as a framework for protecting a complex network from internal and external threats, particularly when many security incidents stem from the misuse of user credentials.
IBM explains Zero Trust as a philosophy in which every user and every connection is assumed to be a threat, so the corporate network needs defense against these potential risks. It includes several security measures to provide continuous network monitoring and validation to ensure that each user has the correct privileges and attributes:
- Records and inspects all corporate network traffic
- Limit and control network access.
- Verify and protect network resources.
Zero trust is therefore a framework in which authentication, authorization and validation are used to protect user access from inside and outside the network, and this includes cloud-based connections and remote workers. Manage the permissions granted to each device, the applications they can run, and the data they can access, store, encrypt, and transport.
A zero trust approach is recommended because now, with more remote working and so many organizations relying on the cloud for their networks, the traditional network edge has eroded and there is a more diverse mix of users, technologies and applications that must protect yourself.
Even more challenging is how traditional security policies and tools are less effective in modern IT environments, and this creates a new headache for security professionals.
Best practices for cloud IT security
Zero trust is fundamentally different from traditional privileged access management, which only addresses the security of users within the network and does not protect against cases where a user's credentials are misused. A zero trust approach should also protect the network from risks coming from the broader cloud-based environment.
Threats increase every day
Cybersecurity threats have risen to new levels since 2023, with a worrying new rise in state-sponsored cyber activities targeting institutions. Phishing remains the biggest threat, causing 90% of data breaches. Microsoft mitigated an average of 1,435 distributed denial-of-service attacks each day in 2022, believed to be a 67% increase. Since 2023 there have been 300,000 new malware incidents every day, attempting to gain unauthorized access or disrupt IT systems. While Gartner predicts that 45% of organizations will suffer a supply chain cyberattack by 2025.
So why, with these scary statistics, are organizations taking so long to adopt zero trust?
This is because zero trust requires a new security paradigm that requires time, resources, skills, and the right products. Many organizations are considering zero trust in the context of their own cloud-connected architectures, where an extended network uses public and hybrid cloud and remote work. They often have fixed compliance needs. They will typically have a mixed heritage and their legacy architecture does not easily support the ideas of the zero trust model. It may not support modern authentication methods or secure protocols. It may seem like a completely new security architecture is required.
Added to this, IT security specialists are often fully occupied with continuous monitoring and managing the response to alerts. There is concern that adding more products will make the entire setup more complex to manage and maintain.
Identity is key
Increasingly, as more market research emerges, analysts are drawing connections between breaches and compromised and abused privileged credentials. It is reported that 80% of breaches target user credentials; Therefore, companies should seek to have a strong identity strategy at the top of their agenda. With digital transformation projects, companies are faced with controlling access to data and the security of their own employees, contractors, suppliers, customers and devices.
Identity is the “new” edge in a cloud-native world. Allowing credentials without question or validation goes against best practices and industry wisdom, exposing an organization to greater risk. Identity, as a shorthand for managing and validating user access and privileges, remains the only constant in today's way of working.
Find a viable way to build zero trust
A zero trust policy can be broken down into several smaller, more manageable parts based on NIST's five-stage security model. Vulnerability scanning, attack surface management, and asset management can be grouped as tasks in the “identification” stage. Identity management and SSO/MFA fall under the “protection” umbrella. Anti-malware/EDR, SIEM, MDR, and log management services fall under the “detection” umbrella.
For each stage of the model there are one or more cybersecurity tools, such as risk-based multi-factor authentication, identity protection, endpoint security, and encryption, that can be used to build that section of the security architecture. It is useful to provide clarity and define an approach that meets the zero trust ambition.
The most practical approach is to leverage the model to build zero trust around the technology and managed services you already have in place and do everything you can with them.
The key to success is bringing together a set of tools from best-in-class vendors to comply with the zero trust model without adding unnecessary complexity. You should choose tools that fit together and that, once up and running, provide you with a series of levers that you can use to manage your zero trust policy on a day-to-day basis. Once you have these in place, you will be better protected and greatly reduce the risk of experiencing a cybersecurity breach.
We have listed the best online cybersecurity course.
This article was produced as part of TechRadarPro's Expert Insights channel, where we feature the best and brightest minds in today's tech industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing, find out more here:
