An investigation by the CyberRisk Alliance early this year revealed surprising results about zero trust security. Despite the term being about 30 years old, only 35% of security leaders said they were “very familiar” with it. And despite the many recent security incidents, the same percentage had “high confidence” in their zero trust capabilities.
There’s something wrong. As interest in zero trust grows, many security leaders don’t seem to know exactly how to properly implement it. Too many of them believe that zero trust can be applied simply by purchasing a new product or upgrading old products. What is really needed is a better understanding of what zero trust security is and how it brings different products, processes and people together to protect mission-critical assets.
The concept of zero trust is simple: ‘never trust, always verify’. It may seem harsh to users who have become accustomed to quick and easy access to information, but it’s a good policy. We like to use the term ‘mutually suspicious’. This means that everyone has to prove who they are.
To some extent, the practice of zero trust—like the term—is quite old, dating back to the days of minicomputers and mainframes. What has changed is the IT environment. This one is much bigger than it was a decade ago. As the cloud, edge devices and data centers expose more endpoints to threats, organizations must rely on more than firewalls to keep intruders out. Zero trust is a good solution, but organizations must better coordinate their processes, people and products to achieve this.
Products speak for themselves. In essence, it takes a full line of security technologies to verify the identity, location and status of the device. The goal is to minimize range and limit access. There is no single product or platform that can achieve this. A successful zero trust program will need to apply identity management, multifactor authentication and least privileges access.
Zero trust technologies can cover the entire attack surface, but that means nothing without the people who use them. Aligning processes, people and security is essential. This means creating a culture in which transparency, open communication, trust in the process and belief in each other’s ability to do good are paramount.
To successfully implement zero trust technology in a corporate culture, organizations need to involve their employees in the process. You can’t expect people to just agree to this if they don’t know about it. So let employees know what is going on, what the process will be, how it will impact their work, the benefits it will bring to the organization and how it can support its zero trust processes.
By engaging employees and challenging them to embrace a healthy dose of skepticism about potential threats, employers ensure a smoother final adoption and implementation. Once employees understand the value of zero trust, they will feel more comfortable being part of the wider cybersecurity network. In addition, it enables employees to proactively identify internal and external threats and maintain high standards of security hygiene.
Organizations must define and evaluate every asset and every aspect of their security environment. This includes identifying where unstructured data is stored, what purpose a specific data store serves, who has access to it, and what security controls are already in place. A comprehensive assessment of who has access to what will help develop a comprehensive access policy. Some assets will require zero trust protection, others will not. All devices that connect to a network must be taken into account so that they can withstand outside phishing attacks.
An important technology mechanism that can help organizations in the world of zero trust is immutability, or the creation of data copies that cannot be modified or deleted. This ensures that organizations cannot lose data and that it cannot fall into the wrong hands.
Defining a zero trust framework for the entire organization is often overlooked. There’s no point in having teams interpreting confusing sets of conventions or reinventing what “zero trust” means.
Last, and perhaps most importantly, is the need to re-evaluate and review zero trust processes. You can compare it with going to the gym: working out becomes a lifestyle and active people constantly adapt their routines. The same goes for security. Zero trust is a continuum. You’re never done.
The threat landscape will continue to evolve and adapt. Organizations adopting a zero trust approach must continue to develop a comprehensive plan – then continually review and update their technologies, processes and people to meet their future needs.
This is a submission from Dave Russell and Rick Vanover of Veeam. Via this link you will find more information about the possibilities of the company.