Zero trust is a heavily used buzzword. It inspires confidence when it’s used by cyber security and technology experts to imply a completely secure technology environment that protects people, devices and applications – all of the time.
In reality, however, almost no-one in the security industry can deliver true zero trust without shutting down every connection and paralysing digital infrastructure. That’s because end-to-end zero trust is a purely academic concept that’s simply not workable for the vast majority of contemporary organisations.
Nevertheless, the need for constant vigilance in the face of a swelling tide of digital security threats has given rise to what’s become known as ‘zero trust-washing’.
Much like greenwashing in the environmental arena, zero trust-washing involves a lot of posturing and hype without any real action. The problem is, all this talk about zero trust serves to create the illusion that robust security is an absolute given. It’s an ‘emperor’s new clothes’ scenario that can potentially result in organisations finding that they are unwittingly exposed.
So, how can CISOs and technology leaders best apply the most relevant aspects of this rigorous security approach in a pragmatic and workable way?
Zero trust – getting to grips with the basic concepts
In essence, zero trust means organisations should not trust anything inside or outside their digital perimeter. Which means that anything or anyone trying to connect or gain access is treated as a new connection that needs to be verified before authority is granted.
Despite the fact that the zero trust concept was first postulated by Stephen Marsh in his doctoral thesis written in 1994, it wasn’t until 2018 that cybersecurity researchers began recommending organisations looking to maintain a rigorous cyber security posture as they ramped up their adoption of mobile and cloud services should implement a ‘never trust, always verify’ zero trust strategy.
The key principles behind zero trust architectures include a single strong source of user identity, user and machine authentication, access control policies and additional context such as policy compliance and device health. All of which are designed to protect information systems and services and reduce the risk of a data breach.
Dealing with the practicalities
Enabling the tangible benefits of zero trust in a secure cloud environment without unnecessary costs or complications isn’t a straightforward proposition. Unfortunately there’s no one off-the-shelf security product that switches on zero trust and a careful assessment of the existing data and technology environment is paramount for ensuring the right policies and principles are applied in the right way. In other words, in a manner that does not hamper the productivity of users or inhibit operational responsiveness.
Today’s digitally powered enterprises now have a constant flow of traffic going into and out of the business, all of which needs diligent monitoring. However, if the zero trust approach you deploy means that multi-factor authentication and complicated log-in procedures makes doing business more difficult or hampers users from going about their daily tasks – no matter where they are working from – then delivering the security the enterprise needs will come at a hefty cost.
Ultimately, zero trust should enable, not throttle, enterprise wide productivity – without overburdening users or compromising on security principles. Enabling people, apps and data to connect to the resources for which they have authorisation, the moment they need access and in a streamlined way.
Taking a reality check
While zero trust almost never provides an absolute guarantee of security, it can significantly reduce an organisation’s vulnerability to security breaches and malware. That said, today’s sophisticated cyber criminals are constantly honing their craft so addressing the latest cyber threats should remain a top priority because zero trust won’t eliminate every security threat.
In today’s work from anywhere environments, implementing a zero trust security strategy is a must have for reducing risk and improving the protection of the enterprise’s digital estate. But it’s just part of a wider security arsenal that should also feature automatic security updates, multi-factor authentication, and regular security training for all employees.
Follow the leader: a best practice model
Learning from the best is one way of understanding how a best practice zero trust model can be initiated in a way that doesn’t hamper or hinder productivity.
With a global reputation to uphold and billions of users worldwide, Microsoft is a leading exponent of zero trust security that empowers users to work more securely anywhere and on any device – including their own – with zero interruptions to their workflows.
Highlighting the critical importance of maintaining tight controls over core security needs, Microsoft recommends protecting access to resources and data using strong multi-factor authentication, single sign-on, password-less authentication and the elimination of VPN clients. All of which helps optimise the user experience while keeping the organisation more secure.
Getting the best from zero trust
Unfortunately there’s no one-size-fits-all solution when it comes to zero trust approaches. Every organisation will need to address all its applications and infrastructure, including legacy systems.
When defining and implementing a security strategy that features the best elements of zero trust, CISOs and technology leaders should prioritise the implementation of a common identity management system, together with adaptive access controls that limit user access with just-in-time and just-enough access polices designed with data protection in mind. Similarly, to minimise the blast radius for breaches, the deployment of user-to-application segmentation and workload-to-workload segmentation will also prove crucial.
Successful and optimised cyber defence requires rigorous and expert planning and execution alongside ongoing reviews designed to embed continuous improvement and keep pace with today’s ever evolving cyber security landscape.
Implementing a zero trust architecture is not always straightforward, so working with a specialist cyber security partner who can help define and implement a zero trust ecosystem that’s appropriate to the needs of the business can help cut through the complexity. Ensuring that sustainable best practices and zero trust protocols are embedded right from the get-go.
Chris is Cyber Security Practice Director at Six Degrees. He is responsible for evolving Six Degrees’ end-to-end cyber security portfolio – ensuring clients can use cyber security innovatively to support, grow and enhance their businesses.
Previously a Head of Information Risk Management (IRM) and Global Cyber Security Strategy Lead, Chris is an experienced cyber security expert with qualifications including Fellow of the Chartered Institute of Information Security (FCIIS), Certified Information Security Manager (CISM) and Fellow of the British Computer Society (FBCS).
Chris has a degree in Computer Systems and Networks, and he has a keen focus on contributing to broader cyber security knowledge. His outreach activities include membership of the Cyber Security Alliance Council and the Chartered Institute of Information Security’s Accreditation Committee. He also acts as a Cyber Security Advisor to ISACA.