With alarm bells ringing globally over the rising threat from malicious actors, many stemming from the war in Ukraine, adopting a security posture based on zero trust has gained a new urgency.
The zero-trust model is designed to reduce risk exposure by eliminating the unnecessary access and privileges across critical IT systems, thus creating a more “locked down” infrastructure.
Zero-trust policy hinges on enforcing least-privileged access and ensuring users do not have more permissions than are needed to complete their job.
To implement zero-trust successfully, IT security leaders must understand what the critical resources in their environment are — from applications and networks to storage and devices — as well as who can access them.
Enforcement of Zero Trust
Effective access control becomes a key consideration in the enforcement of zero trust.
Timur Kovalev, chief technology officer at Untangle, a provider of network security for SMBs, explains even before the war in Ukraine, hybrid work and the growing number of cybersecurity risks had companies moving to zero-trust strategies.
“Now with the possibility of more Russian cyberattacks, zero-trust makes sense for companies wanting to protect their digital environments,” he says. “The key principle is that instead of first making services available and then locking down access to those services, no access is granted at all unless it is specifically and deliberately given.”
At its core, zero trust uses micro-segmentation to break up security perimeters into small zones to create separate access points for separate parts of the network.
While access may be granted to one zone, access to other zones requires separate authorization. Policies are often set to give users the least amount of access needed to complete a task.
SecZetta’s chief product officer Richard Bird says the first step for IT security leaders is simply being intellectually honest.
“Companies and organizations need to honestly confront the fact that their current security strategies are not working,” he says. “They have a massive number of unknowns within their systems — unknown activities, unknown identities, unknown accesses.”
Eliminate the Unknowns
The next step every security leader needs to embrace on their zero-trust journey is to eliminate the unknowns within their systems and processes.
“IT leaders need to truly lead in times like these by vigorously questioning the effectiveness of their current security framework and architecture,” Bird says.
Zero-trust employs other security measures such as adding two-factor authentication, identity, and access management (IAM), and other verification methods, or by using an identity provider so that all authentication and authorization is centrally managed.
Kovalev says IT security leaders need to understand zero-trust isn’t a platform or device, but an initiative to protect digital environments based on the key principle based on locking down access.
“For a company looking to set up a zero-trust solution, leaders should be aware that zero-trust doesn’t require a completely new type of infrastructure with a costly brand-new solution,” he says. “It’s feasible to build on the investments that companies have already made.”
Bird adds that IT leaders can express the benefits of zero-trust by being forthright with their business peers and their boards by explained that maintaining the security status quo is a strategy of hope and luck, and that it is time to try something different.
“Something different doesn’t require spending a ton of money on new technologies,” he says. “Zero-trust simply requires you to re-think how you apply security controls in a way that eliminates the pervasive and persistent trust that they extend through system access.”
Impact of Remote Work
In addition to rising threat levels, remote work trends have exponentially increased the access pathways into company systems and processes.
Kevin Dunne, president at Pathlock, a provider of unified access orchestration, points out remote workforces require users to be able to access applications behind a firewall from anywhere in the world.
“Many organizations have shifted their applications to the cloud to ensure easier access for a remote workforce,” he explains. “This new paradigm requires more consideration of how users can be granted access, and how security teams can monitor what users are doing with the access they’ve been granted.”
Dunne says when explaining the benefits of a zero-trust model, IT leaders should clearly outline the costs of potential breaches.
Furthermore, with IT systems critical to business operations, even an hour of downtime can incur millions of dollars in cost for large enterprises.
“IT leaders should make sure to highlight the benefits of a zero-trust model in preventing application downtime by reducing the ability for insiders and outsiders to perform actions that cause harm to critical IT systems,” Dunne says.
Kovalev adds the benefits of zero-trust should be part of ongoing cybersecurity education, which also includes ransomware, phishing, and deep fakes.
From his perspective, it is crucial to take preventative measures against cyberattacks, and not create an environment that is antagonistic to employees.
“For zero-trust to have employee buy-in, it should be easy to use and not cause any disruption,” he says. “Employees should be made aware that the policy not only protects the organization, but also the individual and their home network and devices.”
Shifts to the Cloud
Dunne says he expects to see more and more applications shift to the cloud, along with more bad actors attacking the critical IT systems of large enterprises.
“As complexity grows, zero-trust will become a core pillar to defending the enterprise and ensuring business continuity,” he says.
From Bird’s perspective, when it comes to zero-trust and identity, it isn’t a matter of what the next technology is that you need to buy.
“It is a matter of exhibiting discipline and eliminating the rationalizations you are making for why you refuse to enforce high- quality controls–like strong authentication — across your entire digital estate,” he says.