Zero Trust: Past, present and a call to action for the future

A recent study by CyberRisk Alliance revealed some surprising statistics about zero trust security. Although the term dates back nearly 30 years, only 35% of the security leaders polled were very familiar with the practice. And despite the rash of security incidents in recent years, the same percentage were highly confident in their zero trust capabilities.
There’s a disconnect. From our experience, while interest in zero trust is growing, many security leaders appear to be confused about how to properly implement it. Too many believe it can be solved simply by plugging in a new product or by upgrading old ones. What’s actually needed is a better understanding of what zero trust security is – how it incorporates a blend of products, processes and people to protect mission-critical corporate assets.
The concept of zero trust is simple: “never trust, always verify.” It may seem harsh to users that have grown accustomed to smooth and easy access to information, but it’s sound policy. We prefer to use the phrase “mutually suspicious,” which is similar. It means, in effect, “Here’s who I am; you prove to me who you are.”
To a certain extent, the practice – as well as the term – is old, dating back to minicomputers and mainframes. It’s all about requiring good digital hygiene. What has changed is, our environment has shifted and expanded. Now, with cloud, edge devices and data centers opening up more endpoints to attack, organizations have to rely on more than firewalls to keep intruders out.
Organizations need to align their processes and people, along with their products, to achieve true zero trust.
Products are a straight-forward step. Essentially, what’s needed is a full line of security technologies that verify identity, location and device health. The objective is to minimize the blast radius and limit segment access. While there is no single product or platform that accomplishes all these goals, a successful zero trust program will incorporate elements of identity management, multifactor authentication and least-privileged access.
Involving people
Zero trust technologies are available to cover all attack surfaces and protect organizations, but they mean nothing without the people using them, so aligning company success and security with employee success and security is critical. This means prioritizing a culture of transparency, open communication, trust in the process and faith in each other’s ability to do good.
To successfully implement zero-trust technology into a corporate culture, organizations need to involve employees in the process. Don’t just roll out a top-down mandate and expect it to click. Alert employees as to what’s going on, what the process of zero trust entails, how it impacts and benefits them as well as the company, what to watch out for, and how they can support the zero-trust process.
By engaging employees and challenging them to embrace a healthy dose of skepticism towards potential threats, employers are planting the seeds of security across their organizational skeleton. Once employees understand what’s going on and the value of zero trust, they too begin to feel trusted and are empowered to be part of the broader cybersecurity network. This empowers employees to proactively identify insider and outsider threats to the enterprise, covering all surfaces and fostering good security hygiene.
Reassessing processes
Zero trust security requires a significant rework in overall organizational processes.
One of the most important moves they can make is to define and assess every aspect of their data security environment. This includes identifying where all of the organization’s unstructured data is stored, what business purposes specific data stores serve, who has access to it and what kind of security controls are already in place. A thorough permissions assessment will help guide the development of a comprehensive access management policy. Some assets will require zero trust protection; others won’t. All devices that connect to a network will need to be accounted for, so they can fend against outside phishing attacks.
One key tech mechanism that can help organizations in a zero trust world is immutability – creating data copies that can’t be modified or deleted. This ensures organizations don’t lose data or allow it to end up in the wrong hands.
An overlooked practice is to define a common zero-trust framework for the whole organization. It does no good to have teams having to interpret confusing sets of conventions or reinvent what “zero trust” means on a project-by-project basis.
Last, and perhaps most important, is the need to reassess and revise their zero trust processes. It’s like going to the gym: Exercise becomes a way of life, and active people tweak their workout routines all the time. Same with security. Zero trust is a continuum. You’re never done.
Staying flexible
Threatscapes will continue to evolve over time. Organizations taking a zero trust approach will need to continue to develop a comprehensive plan – and then continually revise their technologies, processes and people practices to meet their future needs.
-- Contact us at [email protected]
-
Hang Seng Index back to where it was in 1997 Ben Kwok
The hits just keep on coming for the Hong Kong stock market. At yesterday's closing, Hang Seng Index fell close to two per cent to the year-low of 16,327, below the peak in 1997. Not only Hong Kong
-
What our youth need today Brian YS Wong
The headlines say it all. The suicide rate amongst 15-24 year olds in Hong Kong rose to a record high of 12.2 deaths per 100,000 people, as compared with just over a half of this number 8 years ago.
-
Reducing water pipes leakage requires departmental collaboration Dr. Winnie Tang
Water leakage in the public water networks is a perennial problem. Mainland media reported in 2021 that the leakage rate of water pipes in some cities and towns reached 30%, and the public water
-
Sanctimonious sanctions Neville Sarony
With clockwork inevitability, the proposal by a number of US lawmakers to introduce the Hong Kong Sanctions Act provoked a locust swarm of vitriolic protests. The idea of sanctioning 49 Hong Kong
-
Opportunities brought by the ageing population Dr. Winnie Tang
According to the government projection, the average life expectancy of men and women in Hong Kong in 2022 was 81.3 and 87.2 years respectively, the highest in the world. A paper published in The