Zero Trust: Past, present and a call to action for the future

Dave Russell, Rick Vanover August 22, 2022 10:21

A recent study by CyberRisk Alliance revealed some surprising statistics about zero trust security. Although the term dates back nearly 30 years, only 35% of the security leaders polled were very familiar with the practice. And despite the rash of security incidents in recent years, the same percentage were highly confident in their zero trust capabilities.

There’s a disconnect. From our experience, while interest in zero trust is growing, many security leaders appear to be confused about how to properly implement it. Too many believe it can be solved simply by plugging in a new product or by upgrading old ones. What’s actually needed is a better understanding of what zero trust security is – how it incorporates a blend of products, processes and people to protect mission-critical corporate assets.

The concept of zero trust is simple: “never trust, always verify.” It may seem harsh to users that have grown accustomed to smooth and easy access to information, but it’s sound policy. We prefer to use the phrase “mutually suspicious,” which is similar. It means, in effect, “Here’s who I am; you prove to me who you are.”

To a certain extent, the practice – as well as the term – is old, dating back to minicomputers and mainframes. It’s all about requiring good digital hygiene. What has changed is, our environment has shifted and expanded. Now, with cloud, edge devices and data centers opening up more endpoints to attack, organizations have to rely on more than firewalls to keep intruders out.

Organizations need to align their processes and people, along with their products, to achieve true zero trust.

Products are a straight-forward step. Essentially, what’s needed is a full line of security technologies that verify identity, location and device health. The objective is to minimize the blast radius and limit segment access. While there is no single product or platform that accomplishes all these goals, a successful zero trust program will incorporate elements of identity management, multifactor authentication and least-privileged access.

Involving people

Zero trust technologies are available to cover all attack surfaces and protect organizations, but they mean nothing without the people using them, so aligning company success and security with employee success and security is critical. This means prioritizing a culture of transparency, open communication, trust in the process and faith in each other’s ability to do good.

To successfully implement zero-trust technology into a corporate culture, organizations need to involve employees in the process. Don’t just roll out a top-down mandate and expect it to click. Alert employees as to what’s going on, what the process of zero trust entails, how it impacts and benefits them as well as the company, what to watch out for, and how they can support the zero-trust process.

By engaging employees and challenging them to embrace a healthy dose of skepticism towards potential threats, employers are planting the seeds of security across their organizational skeleton. Once employees understand what’s going on and the value of zero trust, they too begin to feel trusted and are empowered to be part of the broader cybersecurity network. This empowers employees to proactively identify insider and outsider threats to the enterprise, covering all surfaces and fostering good security hygiene.

Reassessing processes

Zero trust security requires a significant rework in overall organizational processes.

One of the most important moves they can make is to define and assess every aspect of their data security environment. This includes identifying where all of the organization’s unstructured data is stored, what business purposes specific data stores serve, who has access to it and what kind of security controls are already in place. A thorough permissions assessment will help guide the development of a comprehensive access management policy. Some assets will require zero trust protection; others won’t. All devices that connect to a network will need to be accounted for, so they can fend against outside phishing attacks.

One key tech mechanism that can help organizations in a zero trust world is immutability – creating data copies that can’t be modified or deleted. This ensures organizations don’t lose data or allow it to end up in the wrong hands.

An overlooked practice is to define a common zero-trust framework for the whole organization. It does no good to have teams having to interpret confusing sets of conventions or reinvent what “zero trust” means on a project-by-project basis.

Last, and perhaps most important, is the need to reassess and revise their zero trust processes. It’s like going to the gym: Exercise becomes a way of life, and active people tweak their workout routines all the time. Same with security. Zero trust is a continuum. You’re never done.

Staying flexible

Threatscapes will continue to evolve over time. Organizations taking a zero trust approach will need to continue to develop a comprehensive plan – and then continually revise their technologies, processes and people practices to meet their future needs.

-- Contact us at [email protected]

Dave Russell, Rick Vanover

Dave Russell: vice president of enterprise strategy at Veeam; Rick Vanover: senior director of product strategy at Veeam