Even though many organizations have a goal of achieving zero trust, this goal may not always be realizable in the solutions they are implementing. In fact, a recent survey found that while most responding organizations said they had implemented or were implementing a zero trust strategy , more than half of them didn’t have the ability to authenticate users and devices on an ongoing basis. Giving too much trust could have disastrous – and costly – results. IBM estimates that the worldwide average cost of a data breach is currently a staggering $4.24 million.
The fact that more organizations are attempting to switch from implicit trust to zero trust is not surprising. The idea of “zero trust” sounds wonderful from a security standpoint – and it is. People have been talking about it intensely for several years, but organizations are still struggling with it. That’s partly because it’s not just something you can buy off the shelf, and partly due to confusion. Zero trust involves several elements, so it’s important to define our terms from the outset to avoid confusion and arrive at a solid solution.
In its most basic form, zero trust is about explicitly verifying a user or device prior to granting access to a resource. That verification might include the user’s identity, their role, their location, the time of day, the device’s identity, the device’s posture and the device’s history. That verification should happen on an ongoing basis, and the access granted should only be for that requested resource. Zero trust removes the broad access across the network that has been common in networks for years.
What a zero-trust implementation means
Zero trust is not something you go shopping for one day and you’re done by noon. It’s much more of a journey – a marathon where you start off with an assessment of where you are and then start thinking about where you want to go to next. But it is a multi-year journey and, quite honestly, one that you never fully finish. You will always be looking at how you can strengthen your zero trust approach and how you can bring those principles of zero trust to your network.
This brings up the question: Does zero trust require a forklift upgrade or just the addition of software components? The answer is: it depends on what you already have. Sometimes it’s more about how you configure your network and enable capabilities that already exist. For instance, some firewall and VPN solutions include ZTNA capabilities that simply need to be turned on.
ZTNA replaces standard VPN technologies for application access by getting rid of the excessive trust that legacy VPN needs to enable connections and collaboration between partners or employees. While maintaining rigorous access control, ZTNA also aids in managing access to enterprise resources for the extended workforce, including partners, suppliers or potentially acquired enterprises.
The zero trust mindset
For certain zero trust use cases, some replacement of existing products might be required. It depends on the technology in question – what someone has in their network would determine whether they need a disruptive re-architecture or the simply to configure things differently.
But first and foremost, zero trust at a high level is really a philosophy, a new mindset, a new way of thinking about how to architect and secure your network. After that, it’s a matter of figuring out how to bring the right architectures and products to your network to fully realize zero trust.
Bringing zero trust to the way that users access applications is important. Zero trust also applies to devices trying to access resources. It applies to the servers talking to each other. The philosophy of zero trust will affect the entirety of the network that affects users and devices, but it also requires the ability to have controls around those assets.
In addition, zero trust involves the ability to segment and micro-segment, so that once a user or device has authenticated, they only get access to that particular resource that they need.
The platform approach
As organizations shift towards more platform approaches for a variety of IT purposes, this makes it easier to then select a platform that enables zero trust. When companies are asked why they aren’t implementing zero trust, one of the top reasons cited is the complexity of getting all the pieces and parts necessarily to work together to enable granular authentication, ongoing verification and control.
It can be confusing and resource-intensive to integrate multiple diverse point products to create a DIY solution. A huge benefit of going with a platform approach to deploy zero trust is the reduced burden on the IT organization.
For years now, one of the issues in the industry is the shortage of IT professionals who are trained and can support these cybersecurity networks. With the automation and integration that are already built in, a zero trust platform actually lowers the burden on the IT organization and makes staff more efficient and effective.
Regaining control
The pandemic pushed many employees to remote work. Now many companies face a situation where employees are working from anywhere: at home, in the office, while traveling and at coffee shops. The rise of the work-from-anywhere model has expanded the attack surface, making users’ data and devices more susceptible to cyber risks. This is one of the reasons that zero trust is becoming so important now and why organizations are interested in learning how to deploy it in their networks.
Zero trust is a long-term philosophy that incorporates many parts, and those parts can be challenging to source and integrate. That’s why the platform approach that’s become popular for so many IT solutions is a perfect fit for zero trust.