What is Zero Trust?
In essence, Zero Trust is what its name implies: no user, device, asset or resource is implicitly trusted, but instead must be authenticated and approved each time it attempts to access a network, cloud service, data repository or some other resource.
Zero trust offers a modern approach for security to meet modern work designs and tackle the cybersecurity challenges facing organizations. The rise in remote work, the relentless waves of ransomware and other cybersecurity attacks, and the need to redress fundamental weaknesses in perimeter-based security have coalesced to drive interest and uptake in zero trust architectures.
It’s not a solution; it’s a security framework or model that follows the motto of “Never Trust. Always Verify.” Unlike today, where any user, once on the enterprise’s network, can gain access to resources, with Zero Trust all users and devices are required to verify their identity every time they request access to resources, regardless of the network they are on. In the wake of data breaches and remote working, we can’t assume any user requesting access to a confidential resource is trustworthy.
We partnered with Osterman Research to write a whitepaper on how IT professionals responded to Zero Trust. The information here comes from the whitepaper, which you can read more here.
Why Zero Trust
Why is there the need for and interest in Zero Trust? In short, it’s because the network perimeter that was more or less defensible when everything was behind a corporate firewall just doesn’t exist anymore. Yes, there are still corporate assets maintained on-premises behind firewalls, gateways and the like, and this will continue to be the case indefinitely. But in most organizations, users, assets and other resources are located well outside of any defensible perimeter and are using a large number of different networks, devices, applications, and cloud services.
Here’s how organizations should think about Zero Trust
- It offers a new approach to cybersecurity.
- Mitigating trends, increasing efficacy, and strengthening cybersecurity protections are the key reasons to implement it.
- Organizations face a journey to implement zero trust architectures.
- Zero trust architectures leverage multiple types of cybersecurity solutions.
Why is Zero Trust being implemented?
There are several key reasons that have impacted an organization’s decision to embrace a zero trust model.
Mitigating Current Trends, Threats, and Risks
High-profile ransomware incidents and adapting to a work-from-home environment are some of the top trends that have convinced organizations to deploy the model. Adopting Zero Trust now to mitigate the risk of a data breach is a more impactful reason rather than wishing it was in place when a data breach occurs.
When looking into the foreseeable future, data breaches are inevitable, and the move to Zero Trust makes sense now more than ever before.
Greatly Improving Cybersecurity Efficacy
Implementing a zero trust model is expected to at least double cybersecurity efficacy against a large range of threats. IT professionals feel that zero trust does not completely solve the issues of existing cyberthreats, they all expect it to significantly reduce the scope of threats. There are a lot of expectations surrounding Zero Trust versus data breaches, and research shows that while data breaches still occur at organizations with Zero Trust, the average cost of rectification was 35% lower than organizations without it.
Modifying Cybersecurity Protections
With zero trust deployment, organizations see an excuse to enable design modifications to strengthen current cybersecurity solutions. By modifying IAM to solve IAM concerns, organizations can know which data sources include sensitive and confidential information to best see which users should receive access to those sources.
Safeguarding Important Resources
Organizations have many data sources that require protection. Data in emails, cloud services, and data compliance regulations push organizations to deploy zero-trust. With it, your employees are required to have specific parameters to access key information. It can mitigate when your employees accidentally send crucial data and stop cybercriminals from mining crucial identifiable information. Protecting customer data and contact details used to be about keeping details away from competitors, but now they are affected by data protection and data privacy regulations led by the GDPR (General Data Protection Regulation).
Learn more about Zero Trust and other IAM topics.
Benefits to Zero Trust
- There is greater visibility into the identity of those attempting access, their location, when they’re accessing it, what they’re accessing, and so forth. This visibility is essential to the proper application of security and compliance policies, and it ensures that bad actors – and the data breaches they might attempt – are identified more quickly than would otherwise be possible.
- Zero Trust is an important element in supporting remote employees, an issue that has been front-and-center for most IT and security decision makers during the past two years. It supports remote employees by enabling their authentication to the growing number of cloud applications without undue effort by IT and security teams, thereby making remote employees more efficient and imposing less burden on IT and security.
- Finally, the use of Zero Trust is useful in preventing successful intrusion by bad actors who might use targeted phishing emails, install keyloggers on individual PCs, or move laterally through corporate networks. Because it starts from a position of not trusting anything that happens on the network, bad actors will hit multiple and significant barriers in their attempts to use these attack techniques.
How does Zero Trust Work?
Zero Trust is not a solution, but rather a security model that follows core principles. To make it “work”, IT professionals should implement these types of solutions.
- Continuous verification of identity: Knowing with precision and certainty the identity of every given person and device on a continuous basis as they access various resources and applications is a critical part of zero trust. Without it, users who aren’t supposed to access confidential information can still have access to it.
- Replacing top-level admin access rights with tighter controls: For many years, IT administrators have had top-level admin access rights to data in core business systems, along with the expectation of not abusing the privilege. With zero, IT admins’ access rights must be managed, curated, limited, scoped, and audited.
- Detecting characteristics in devices, networks, and geographical locations: Solutions are required that can reliably identify the type of device being used in an access request, whether it is a managed or unmanaged device, the network type and address range, and geospatial indicators to plot the access request in physical space. These discernable attributes need to be available immediately for use in policy selection.
- Embarking on a complementary program to mitigate limitations in legacy applications: Legacy applications that do not support zero trust approaches will hamper or derail these initiatives. Replace legacy applications with modern alternatives. Digital transformation is a significant undertaking for organizations and such initiatives will have their own timeframes that unlock added value from a zero trust architecture over time.
Solutions to implement a zero trust model include stronger forms of multi-factor authentication (MFA), contextual and step-up authentication, and biometric authentication.
Zero Trust drives interest in MFA (Multi-factor Authentication)
Intelligent, continuous multi-factor authentication is central to Zero Trust. Being able to authenticate and authorize the digital identity of a user or device is critical to verifying them before trusting them to access resources. With it, however, your traditional MFA tactics may not support the continuous authentication that Zero Trust requires, or the successful implementation of MFA across 100% of your employees. More traditional and one-size-fits-all MFA tactics can be difficult to get your users to adopt.
Overall, many traditional MFA approaches are not suited for a Zero Trust architecture. For example, MFA methods that use a password with an additional authentication method still leave the door open to cyberattack, with a heavy reliance on the password as something the user has to remember and often forgets. Or MFA solutions that are unable to provide key elements to achieving Zero Trust, including advanced authentication approaches, such as contextual authentication, and more granular security policy controls.
Take the First Step
To get the most use out of implementing Zero Trust, your organization needs to have a multi-factor authentication solution. MFA requires end-users to provide two or more verification factors and is an added layer of security on top of a simple password. Based on the survey exploring Zero Trust in organizations, 59% are planning on doing so, and the first step to approaching Zero Trust is through implementing Multi-factor Authentication.
Learn more about how multi-factor authentication can enable Zero Trust in our State of MFA eBook, or read more about how IT professionals react to Zero Trust in our Why is Zero Trust important whitepaper.