Zero Trust: Past, present and a call to action for the future
A recent study by CyberRisk Alliance revealed some surprising statistics about zero trust security. Although the term dates back nearly 30 years, only 35% of the security leaders polled were very familiar with the practice. And despite the rash of security incidents in recent years, the same percentage were highly confident in their zero trust capabilities.
There’s a disconnect. From our experience, while interest in zero trust is growing, many security leaders appear to be confused about how to properly implement it. Too many believe it can be solved simply by plugging in a new product or by upgrading old ones. What’s actually needed is a better understanding of what zero trust security is – how it incorporates a blend of products, processes and people to protect mission-critical corporate assets.
The concept of zero trust is simple: “never trust, always verify.” It may seem harsh to users that have grown accustomed to smooth and easy access to information, but it’s sound policy. We prefer to use the phrase “mutually suspicious,” which is similar. It means, in effect, “Here’s who I am; you prove to me who you are.”
To a certain extent, the practice – as well as the term – is old, dating back to minicomputers and mainframes. It’s all about requiring good digital hygiene. What has changed is, our environment has shifted and expanded. Now, with cloud, edge devices and data centers opening up more endpoints to attack, organizations have to rely on more than firewalls to keep intruders out.
Organizations need to align their processes and people, along with their products, to achieve true zero trust.
Products are a straight-forward step. Essentially, what’s needed is a full line of security technologies that verify identity, location and device health. The objective is to minimize the blast radius and limit segment access. While there is no single product or platform that accomplishes all these goals, a successful zero trust program will incorporate elements of identity management, multifactor authentication and least-privileged access.
Involving people
Zero trust technologies are available to cover all attack surfaces and protect organizations, but they mean nothing without the people using them, so aligning company success and security with employee success and security is critical. This means prioritizing a culture of transparency, open communication, trust in the process and faith in each other’s ability to do good.
To successfully implement zero-trust technology into a corporate culture, organizations need to involve employees in the process. Don’t just roll out a top-down mandate and expect it to click. Alert employees as to what’s going on, what the process of zero trust entails, how it impacts and benefits them as well as the company, what to watch out for, and how they can support the zero-trust process.
By engaging employees and challenging them to embrace a healthy dose of skepticism towards potential threats, employers are planting the seeds of security across their organizational skeleton. Once employees understand what’s going on and the value of zero trust, they too begin to feel trusted and are empowered to be part of the broader cybersecurity network. This empowers employees to proactively identify insider and outsider threats to the enterprise, covering all surfaces and fostering good security hygiene.
Reassessing processes
Zero trust security requires a significant rework in overall organizational processes.
One of the most important moves they can make is to define and assess every aspect of their data security environment. This includes identifying where all of the organization’s unstructured data is stored, what business purposes specific data stores serve, who has access to it and what kind of security controls are already in place. A thorough permissions assessment will help guide the development of a comprehensive access management policy. Some assets will require zero trust protection; others won’t. All devices that connect to a network will need to be accounted for, so they can fend against outside phishing attacks.
One key tech mechanism that can help organizations in a zero trust world is immutability – creating data copies that can’t be modified or deleted. This ensures organizations don’t lose data or allow it to end up in the wrong hands.
An overlooked practice is to define a common zero-trust framework for the whole organization. It does no good to have teams having to interpret confusing sets of conventions or reinvent what “zero trust” means on a project-by-project basis.
Last, and perhaps most important, is the need to reassess and revise their zero trust processes. It’s like going to the gym: Exercise becomes a way of life, and active people tweak their workout routines all the time. Same with security. Zero trust is a continuum. You’re never done.
Staying flexible
Threatscapes will continue to evolve over time. Organizations taking a zero trust approach will need to continue to develop a comprehensive plan – and then continually revise their technologies, processes and people practices to meet their future needs.
-- Contact us at [email protected]
-
The hidden heroine behind GPS Dr. Winnie Tang
According to a report by investment bank Goldman Sachs, there has been an upward trend of women in the workforce around the world over the past 25 years, especially in Japan and Germany. However,
-
To Be Free Brian YS Wong
I have long been fascinated by the question – “What does it to be free?” Freedom is something both coveted and feared at once – much as absolute authority. To be free, and to be a maximal authority,
-
Wayne McGregor’s Deepstaria toured Hong Kong Kevin Ng
Sir Wayne McGregor, the resident choreographer of the Royal Ballet in London since 2006, also directs his own modern dance company, Company Wayne McGregor. Nine dancers from this troupe performed
-
LawTech strengthens Hong Kong’s position as a financial centre Dr. Winnie Tang
The Hong Kong Judiciary issued guidelines on the use of generative artificial intelligence (GenAI) earlier to judges and supporting staff, stressing that the use of technology should not “undermine
-
Living Life to the Fullest Brian YS Wong
I used to think I had lived life to the fullest. I now think I’m beginning to see what that in fact entails. I grew up in a culture that treasured hard work – industriousness was prized as a norm. To