A fundamental tenet of Zero Trust assumes that there are no barriers keeping bad actors at bay. That very idea may seem like an intimidating one, considering our traditional methods for access management. The best way to understand Zero Trust, however, is to examine these very systems. Reliance on the perimeter has been a hallmark of security since the earliest days of a connected world. Organizations enforced this cybersecurity approach by relying upon barriers — firewalls — that control traffic coming in and out of a network. In essence, we threw a digital fence, a perimeter, around them. This is not to say that firewalls and other types of perimeter security are not important —indeed, the number one type of threat remains a Denial of Service (DoS) attack. However, heavy reliance on the perimeter has proven largely misguided.
A Zero Trust Cybersecurity Philosophy
Today, with the explosion of cloud computing and digital global reach, IT environments have evolved to become fluid, open, and, ultimately, more vulnerable from threats within and outside these antiquated perimeters. Remote devices and all sorts of cloud variations have blurred the boundaries, if not broken them. Furthermore, hackers and other bad actors have become adept at finding ways to bypass traditional perimeter controls by utilizing methods of phishing attacks, social engineering, employing keyloggers and spyware, or performing brute force attacks.
When this is all taken into perspective, a Zero Trust cybersecurity philosophy comes into focus as a real solution. You can no longer trust the system itself. The cracks are everywhere, and the attacks are omnidirectional. Consequently, for many organizations, virtual private networks (VPNs) and perimeter-based security methodologies (once the gold standard) have lost their luster. According to a recent survey from Gartner, by 2023, 60% of enterprises will phase out their remote access virtual private networks (VPN) in favor of ZT.
Conventional methods to cybersecurity and access management (IAM and PAM) traditionally approached security with one-time authentication, VPN, and fence-based networks. However, you can start your Zero Trust journey by implementing a model across your network that begins with its foundational principles.
The best tenets of Zero Trust are:
- Trust nothing
- Never trust, always verify. Don’t trust anything by default, starting with the network. Because of our new highly dynamic environments, we should assume that verification is required, and nothing is assumed other than the network may already be in breach. This alert mindset will reframe your security ideology.
- Secure everything
- Implement evolving controls like remote authentication, set access protocols, and rethink perimeter-based security for a more open, global, and future-forward network.
- Contextually authenticate requesters and contextually evaluate access requests
- Each time a user accesses a file share, application, orcloud storage device, re-authenticate that user’s access to the resource. One-time authentication needs to be replaced by consistent contextual authentication.
- Assess all requests
- You have to assume that every attempt to access your network is a threat until otherwise confirmed— regardless of location or cloud network composition (open, closed, or hybrid). Threat assessment and alerts will keep your cybersecurity nimble.
- Grant access by the Principle of Least Privilege (PoLP)
- Allow users the minimum access privileges necessary to perform a specific job or task and nothing more. Limiting each user’s access prevents an attacker from gaining access to large amounts of data with a single compromised account.
As these tenets demonstrate, Zero Trust is a journey, not a destination. And there are many elements your organization should implement on its way toward ZT. While this may sound intimidating at first, you can approach it with small-but-actionable steps over a reasonable timeframe to achieve it at your own pace.
Building a successful Zero Trust paradigm at your organization with these foundational principles is only the beginning of your Zero Trust journey. Next up, you’ll want to work towards Zero Trust by starting with Reduced Trust. Learn about this next formative step and more of the ZT transformation by downloading our ebook: Zero Trust and Access Management: A Journey, Not a Destination.
Related Articles
The Zero Trust Security Model Companies Need Now
In the last two years, 79% of organizations have experienced an identity-related security breach, according to research from the Identity Defined Security Alliance...
Intrinsic Risks of Standing Privileged Accounts
Most organizations continue to employ user accounts that indefinitely retain elevated privileges, despite increasing evidence that utilizing standing privileged accounts...