ZeroTrust isn't what it used to be. Perhaps 10 years ago it wasn't worth the investment, or at least that's how a lot of people viewed it. However, not only has it substantially evolved since then - it's now absolutely vital in modern business.
Let's discuss what modern ZeroTrust looks like, why it's become essential, and common benefits/challenges.
ZeroTrust is a security concept that focuses on the idea of trusting no one - by default, the system does not trust any user or device.
In this way, access to the system can never be assumed. Instead, it's given on a permission by permission basis. Permissions, then, are controlled carefully by admins through good identity and access management (IAM) protocols.
This doesn't mean to say that access is made to be difficult or obstructive, which we know can make the use of a system clunky for staff. There are ways to keep it streamlined, which comes down to smart implementation and modern cloud-based technology.
Learn more: "Identity and access management: A guide to best practices" [PDF]
ZeroTrust: Protecting the cloud
ZeroTrust tends to work best for distributed, cloud-based environments. In these situations, there's no clear 'perimeter' around the business, which used to be key to cyber defence. Now, threats could come from many locations, even within, or through linked third-party vendors.
The cyber security situation in the EU and world is rapidly evolving, and not for the better.
ZeroTrust has been around for a long time, but when it was first rolled out the landscape was quite different. Threats weren't as widespread, nor as fierce. Companies could ignore it and everything would be OK.
Now, though, just about anyone can log on to the dark web and download malware that can cripple a company. Getting someone to download the virus is even easier. Indeed, phishing attacks increased 718% from 2019 to 2020 (Allot), [LF1] and the German BSI discovered 322,000 new malware strains per day in 2020 (BSI).
It's easier to get the resources required
One of the big differences now is that, overall, the corporate appetite for cyber security is bigger than it ever has been, and boards have become more open to the idea of investing in it (after all, who wants to be the next headline-hitting hack victim?).
Now it's easier to get access to the resources required to transition to ZeroTrust properly, meaning it can be better tailored to a company's needs.
Agile has made the roll-out smoother
These days, ZeroTrust can be rolled out through Agile methodologies.
Agile is all about efficiency and adaptability, helping it make ZeroTrust implementation faster and more effective - avoiding major disruption to the business. This, in turn, makes the rollout smoother and more cost/time efficient, which could be an easier pill to swallow for companies on a tight budget.
Before we dig into any of the specific technical benefits, one of the most important key outcomes of a ZeroTrust model is reducing the cost of cyber breaches.
Thanks to IBM, we can put it in actual dollar values, too. According to the IBM Cost of a Data Breach Report 2021, the average cost of a breach was US$1.76 million less among organizations with a mature ZeroTrust approach compared to those without.
ZeroTrust controls access. That means there will be fewer users and devices with access to the entire system. Should an attack get in, it will therefore have fewer opportunities to spread - we call that reducing the attack surface.
In much the same way you can control the access and authentication of users, with ZeroTrust you're also controlling the access of apps, servers and APIs. In the event of a supply chain attack (i.e. someone tries to get you through your vendors), or some other vulnerability related to your technology, once again the attack surface has been reduced.
Learn more: "Are you reviewing your third parties for security risks?"
When talking about big data, data analytics, smart tools, usually the conversation turns to streamlining the access to data by removing it from siloes. This, of course, is very powerful, enabling the fast and effective use of a wide swath of business intelligence that can be used to supercharge the organization.
But, it's a risk to have all data sitting in one big pool. With ZeroTrust, that pool is split up - not back into siloes where it's of no use to anybody, but into organized segments based on type, use and sensitivity, which are each stored differently. This is a third act of reducing the attack surface for cyber criminals.
We should note: Data must always be accessible to the right people and could still be plugged into all of your different systems, but with ZeroTrust access levels are properly restricted so that the most sensitive or critical intelligence can't be compromised easily.
Learn more: "AI, data science, machine learning … what do they all mean?"
The modern workforce is increasingly a global one. There's no real need, in a lot of cases, for staff to all be in one place - and certainly not in the office. This is excellent from the point of view of accessing the best talent possible, but not so much from a security standpoint.
Distributed workforces are a little harder to manage in terms of cyber security because they could be on any device, or any Wi-Fi connection (even a public one at times). ZeroTrust comes in here to shore up your defenses in this area by controlling access levels and guarding sensitive data (during both storage and transit) so you can have your global workforce, and keep your system safe too.
There's no one size fits all when it comes to cyber security, which is why ZeroTrust as a principle is so useful - it doesn't prescribe to any one technology or framework, but can guide IT teams no matter what they want to use.
With this flexibility, the task of making sure security elements work together efficiently is made easier (there's no shoe-horning one system into another). In an ideal ZeroTrust model, combined elements complement one another rather than clash.
ZeroTrust is a fabulous security principle, but like all things IT it does have its implementation challenges. We've identified a few of the common ones so you can be prepared.
The best possible way to implement ZeroTrust would be to shut down the system, change it, then start it up again. But of course, this isn't even remotely practical.
So, there's a challenge to be had reorganizing policies and controls within an existing network when it must still function during the transition. Good change management will be vital here.
ZeroTrust basically takes the 'everyone has access to the system at all times' method and replaces it with a much more carefully controlled 'people gain access as and when required, and not before' method. This goes for customers, clients and third-party vendors too.
This is going to require a new policy for each user type, whether a human or tool, so you understand to the letter the who, what, where, when, why and how of everyone trying to gain access. It will also need more close management and monitoring, which is where access control systems like single sign-on (SSO) and multifactor authentication (MfA) tools will come into play.
For more information on these, we'd refer you again to our PDF guide on identity and access management.
You could argue this is a challenge whether you're implementing ZeroTrust or not, as the increasingly remote global workforce means there are more devices than ever before to monitor within the business.
Different devices may have their own properties and communication protocols, which must be monitored and secured specific to their type. Admins must also carefully monitor and control any use of personal phones/computers for work tasks, as home devices are often much more poorly protected and could present a vulnerability. Staff may require help improving the security of their personal devices at home as well as work.
If you're suddenly taking more interest in the various apps being used around the business, this will also add to the management workload. Apps must be carefully planned and monitored to ensure that they do not present a security risk, and app use/access should always be tailored to a user's actual needs.
Any legacy tools present in the business may also prove challenging, as re-architecting an old system to fit modern needs isn't always possible. At this point, you may need to start thinking about an upgrade. After all, if a system can't be fixed to the point where it's no longer a vulnerability, it's a huge risk to the business.
We mentioned earlier the idea of segmenting data so that different levels of data are stored differently, in order to grant access to those who need it while protecting your organization's most sensitive assets.
This is also a challenge. Storing data in different locations means there are more sites to protect. Segmenting data in this way is not a task that can be rushed, for you must carefully consider each storage location (or the vendor providing the location, in the case of cloud vendors) to ensure that each is up to your standards.
If you've just read all of those challenges, you might be thinking that this sounds like a monumental undertaking. But, know that it doesn't have to be.
ZeroTrust can generally be implemented in phases - it's not an on or off process. As such, the difficulty can be managed depending on what you roll out and when, based on the needs of your business.
Measuring ZeroTrust implementation through security maturity
Implementing ZeroTrust can generally be measured in terms of security maturity, which defines the complexity and sophistication of an organizations' ZeroTrust framework.
In the earliest phases of maturity, ZeroTrust is predominantly about self-assessing and finding security gaps. This discovery and assessment includes tasks such as mapping data flows, inventorying users and devices, logging network traffic, and looking for privileged accounts. Combined, they help a company figure out its five Ws and H - who, what, where, when, why and how.
In the later phases, these tasks are expanded. New policies will need to be written which define who can access what, when; users and devices become segmented with access granted based on certain restrictions; machine learning systems start to tag and classify data, advanced analytics looks for threats in real-time … and so on.
Not every company will need to go through every maturity phase. The changes you make will always be based on your needs. Later maturity phases may simply be too complex and cost prohibitive to be worth it for your size of business, and so would be avoided entirely.
To get stuck into moving to a ZeroTrust model, you'll need either a framework or instructions to follow, or a third-party expert who can provide these (plus their expertise) for you, tailored to your organization.
Tailored - that keyword is vital. When looking for either, it's important to ensure that the framework is tailored to your needs. Like we said, not every company must become fully 'mature', so there's no point spending money where you don't need to.
At dig8ital we're experienced in digital transformation and cyber security, allowing us to act not only as a technical expert for the IT and security requirements of moving to ZeroTrust, but also for managing change and reducing resistance.
To learn more about ZeroTrust, talk to us today.