What is Zero Trust?
Zero Trust is a cybersecurity model that keeps organizations’ data safe by requiring users to continuously verify and authenticate their identities. Analyst John Kindervag, formerly of technology research firm Forrester, first coined the term in 2010. But the concept also has roots in the “black core” architecture theory of the U.S. Military, which emphasizes the security of individual processes. Companies like Google and Akamai rapidly adopted Zero Trust. Zero Trust has only grown in popularity among cybersecurity professionals in the following years, with market forces such as high-profile data breaches and the shift to hybrid workforces driving adoption.
Zero Trust is an ideal solution for distributed networks. However, a single technology or vendor does not encompass Zero Trust. Instead, it’s more of a philosophy comprised of various technologies, principles, and processes brought together to prevent data breaches and minimize damage in the event of a successful breach. Zero Trust relies on the principle of least access, which means that each user is only granted the access they need to accomplish their specific tasks and no more. In other words, each user is assumed “guilty until proven innocent”.
In the previous generation of cybersecurity, maintaining a perimeter was adequate to foil most bad actors. In the “castle and moat” model, a firewall (or moat) surrounded the virtual perimeter. Once inside the perimeter (the castle), users were granted “implicit trust”, meaning they had access to the entire system of an enterprise. The traditional model is increasingly inadequate as workforces have become distributed through the move to hybrid work, mobile and personal devices, and integration of Internet of Things (IoT) devices into corporate networks. Additionally, virtual private networks (VPNs) are quickly becoming obsolete and have been subject to some of the highest-profile breaches, including the SolarWinds hack.
Why should my organization implement Zero Trust?
According to a recent study by IT research firm Nemertes, organizations with low cybersecurity incidents, such as breaches, are 137% more likely to have deployed Zero Trust than comparable organizations.
Zero Trust offers a highly reliable process that lets organizations enhance security and protect their most sensitive data. Additionally, regulators increasingly adopt some or all of the Zero Trust methodology in creating compliance and oversight. Zero Trust also implements micro-segmentation, which separates IT resources into defensible zones. In other words, even if an intruder gains access to the castle, they will not necessarily get very far because all the doors are locked with different keys.
The pillars of Zero Trust
There are many ways of looking at Zero Trust and cybersecurity in general. Fortunately, government cybersecurity agencies, NIST and CISA, have spent considerable time defining and delineating what makes up a Zero Trust approach. In the CISA model, Zero Trust is divided across five pillars and linked by three cross-cutting capabilities.
The pillars are:
- Identity – User or device identification attributes.
- Devices – Any IT asset that can connect to a network.
- Networks – Any communication medium, including the internet, cell phone networks, and application-level channels.
- Applications and Workloads – Systems, programs, and digital processes that occur either on-premises or in cloud environments.
- Data – Includes all structured and unstructured files stored across databases, cloud storage, applications, backup locations, etc.
The cross-cutting capabilities are:
- Visibility and analytics – Insight and visibility into each pillar that informs and directs security policy.
- Automation and orchestration – Automated systems that speed up monitoring and remediation efforts.
- Governance – Regulatory guidelines and principles.
The benefits of Zero Trust
Zero Trust offers many advantages, including:
- A more robust cybersecurity posture.
- Compliance with compliance regulations.
- Increased visibility into the network’s edge and cloud computing environments.
- Reduced risk of data breaches and enhanced remediation and mitigation solutions for successful breaches.
Zero Trust streamlines many areas of cybersecurity, which can create cost efficiencies and ultimately save organizations money.
Challenges of implementation
Unfortunately, Zero Trust is more accessible on paper than in practice. Common hurdles include:
- Incompatibility with legacy technology and infrastructure.
- Lowered productivity from constant verification.
- Zero Trust takes years to deploy fully.
- Security gaps can open during incomplete implementation processes.
Additionally, overzealous IT marketers have muddied the waters by insisting that many products are “Zero Trust”. Branding initiatives and exaggerations have led to confusion about what Zero Trust means and what products truly represent a Zero Trust approach. It is best to consult vendor-agnostic cybersecurity experts when planning Zero Trust implementation.
To surmount the challenges to productivity that Zero Trust can present, many organizations opt to apply Zero Trust in specific use cases, such as securing their most sensitive data or defending against intrusions in IoT device connections. It’s helpful to think of Zero Trust as aspirational and incremental, a long-term goal that should be consistently top of mind.
The Zero Trust maturity journey
In the CISA model, organizations progress in Zero Trust maturity in four phases across all five technology pillars (Identity, Devices, Networks, Applications/Workloads, and Data). Each pillar can advance through the stages individually or concurrently with the other pillars. The phases are:
- Traditional – Prior to Zero Trust implementation, most security processes and policies are manual. Security efforts across pillars are siloed, and communication between security teams is limited.
- Initial – Beginning automation processes deployed and cross-pillar solutions introduced.
- Advanced – Automation implemented to streamline security response times, lifecycles, and policy enforcement. Centralized security control and increased visibility across all pillars.
- Optimal – Fully automated lifecycles and attribute assignments to assets and resources that self-report based on observed triggers. Dynamic least privilege access, cross-pillar interoperability across the enterprise, and centralized visibility with situational awareness are integrated into daily operations and processes.
The journey from Initial to Optimal can take several years, based on an organization’s current cybersecurity efforts and level of maturity. This process is comprehensive and requires investments from all significant organizational stakeholders.
Cyber insurance, Zero Trust, and compliance
Many regulatory bodies, including the U.S. Government, are leaning hard on Zero Trust policies to mitigate risk. Another area that regulators are increasingly creating guidance on is cyber liability insurance.
McGowanPRO’s cyber liability team helps clients navigate the changing cybersecurity landscape by offering tailored Cyber Liability / Data Breach Response Insurance policies. In today’s world, organizations need an effective plan to mitigate damages and a comprehensive cyber liability policy to cover worst-case scenarios. With over 15 years of experience in professional liability, McGowanPRO provides reliable recommendations to help clients protect assets and maintain compliance.
Get in touch to learn more about our cyber insurance policies.