Organizations have traditionally deployed cybersecurity approaches that adhered to the phrase made famous by President Ronald Reagan: “Trust, but verify.” This meant that most users and activities were considered “safe,” as long as simple standards were met – like logging in from within the network.
However, with the ever-increasing volume, velocity, and sophistication of modern threats originating from both outside and inside organizations, “Trust, but verify” no longer suffices. Instead, senior security professionals and their teams must move toward Zero Trust, an approach which counsels, “Never trust. Always verify.”
To fully embrace and benefit from Zero Trust, businesses should start with the intent of bringing it to their entire cyber landscape: users (human and system accounts), apps (on-premise and cloud), data (structured and unstructured), and the network (the corporate network and cloud access points/gateways). The following three considerations help organizations move toward a stronger Zero Trust security approach.
Adoption by design
While organizations must consider their full cyber landscape as subject to Zero Trust, they cannot make sweeping, enterprise-wide security changes overnight. Successful Zero Trust adoption requires a deliberate approach: it is as much about shifting cultural mindsets as it is adjusting processes and technologies.
To begin moving towards a Zero Trust model, organizations should conduct risk assessments to identify and prioritize “crown jewels” – their most sensitive and/or critical data assets and corresponding access. A good place to start is with assets and accounts subject to privileged access management (PAM) tools and processes. Focus on the highest priorities first and then proceed in a phased manner to encourage a smoother segue to acceptance as part of the organization’s security culture.
Organizations also need to apply Zero Trust principles to new and updated systems. When a new app is introduced, don’t begin to apply Zero Trust and security considerations to the software development life cycle (SDLC) at the near-end testing stage; make it a part of the process from the very beginning.
Verification continuum is the critical practice of constantly verifying what access and activities are allowable. First, determine or align with organizational access policies. This is the critical, foundational step that will set the standard for how individual access decisions should be made.
Another key element is working with business stakeholders and identity governance and administration (IGA) teams to set up processes and tools for account and access requests, changes, and removals. IGA and PAM tools support controlling and automating these processes by establishing a repository of trustable identities, along with what resources they can access and what activities they can do there. Review the data in these platforms on a regular, ongoing basis.
Organizations should also review both their structured and unstructured data. Unstructured data merits special attention. Is it on corporate laptops, personal phones, or other devices? What organization data governance processes and practices protect it? Consider the network too. Traffic analysis can help build a blueprint for micro-segmentation and additional access control points and policies.
Machine learning also supports the Zero Trust verification continuum. As highly automated analytics tools detect abnormal user behaviors – such as a suspicious attempt to pull customer credit card information, at an odd time of night in a non-company location – they can work with other security tools to send alerts and immediately lock down the data.
Multi-step verification of users at the point of transaction run-time is critical to Zero Trust. By incorporating multi-factor authentication (MFA), risk-based, or adaptive authentication, organizations impose an additional hurdle to malicious actors attempting to use stolen credentials to obtain organizational data.
There was a time when “Trust, but verify” may have been enough. But that day has long passed, along with the notion that a perimeter-based security model affords an organization sufficient protection. Zero Trust brings more comprehensive and vigilant strategies to the table.
While Zero Trust is about technology solutions and tactics, it is also about changing the way everyone at the organization – leadership, IT, and users – perceives data assets and appropriate access to them. By prioritizing organizational assets and using a phased approach to implementation, the necessary cultural shift will come more easily, with the support of organizational change management. By enforcing constant, multi-layer verification and boosting authentication practices, security leaders and their teams prove that Zero Trust isn’t just a good idea – it’s a good idea that works.