Article Originally Published in Hartford Business Journal 10/2022
Companies need to rethink the security of their corporate networks starting from the principle of Zero Trust. Users today can be located anywhere, on any device, accessing resources in a corporate data center or the Cloud.
The concept of Zero Trust has been around for over two decades. According to Forrester in 2010, “A Zero-Trust architecture abolishes the idea of a trusted network inside a defined corporate perimeter.”
The primary principle of Zero Trust is to trust no person or device inside or outside your network until their identity has been verified (identity is the perimeter). Zero Trust provides a framework that can include a range of technologies and best practices. The Cybersecurity and Infrastructure Security Agency (CISA) has developed a model that assesses maturity across five pillars of Zero-Trust:
Network / Environment
How to Progress in Your Zero Trust Journey
Collaboration is key: Zero Trust drives a new organizational mindset and requires a high level of cross-functional cooperation, including with Information Security, Networking, Infrastructure Engineering, Application Architecture & Development, and others.
1. Establish a three-year roadmap. Document the current state of Zero-Trust-related technologies, including an inventory of business-critical applications and data dependencies. Grade current capabilities as Traditional, Advanced, or Optimal. Knowing your strengths and weaknesses will help you to prioritize improvements.
2. Preparation is Key: The initial focus should be understanding your current Identity and Access Management (IAM) posture. Effectiveness in these foundational areas will support your Zero Trust journey:
Least-Privilege Access Policies
Centralized Control Point (Policy Enforcement)
Modern Device Security (e.g., MFA, OTP)
3. Build use cases and controls. Start by targeting a Cloud problem such as securing SaaS applications. Consider adding controls that provide incremental improvements based on your roadmap. Elements of your solution could include Cloud Access Security Broker, Secure Cloud Gateways, Policy Decision Engine, and Improved Analytics Platforms.
4. Keep working on the problem in layers. Perfection is the enemy of good. Start with your biggest threats and use cases (e.g., how to protect a remote worker, or securely enable use of new Cloud applications). Continuously re-assess your options for improvement and expansion. As capabilities and needs evolve, apply the TIME methodology to assessing your resources and options against your Zero Trust vision, which options will you Tolerate, Invest, Migrate, or Eliminate?
Why is Zero Trust Important?
Implementing Zero-Trust brings many potential benefits to a company, including:
Reduce Unacceptable Risk: moving towards Zero Trust will help your company reduce the likelihood of data loss and improve your IT resiliency especially in complex and meshed ecosystems. Improved visibility to threats and vulnerabilities and faster mean time to response within the kill-chain will reduce the potential for and impact (both financial and reputational) of a breach of your company’s digital assets.
Improve User Experience: The tenants of Zero Trust improve the experience for your users by providing more self-service and innovative solutions which reduce their friction to interacting with resources. Happy users result in better Net Promoter scores.
Optimize Processes: Zero Trust is good for your IT team too. By building in increased automation, repeatability, and maturity in your security systems, you can eliminate non-value-add work and allow your IT teams to focus on more agile delivery and greater innovation.
Reduce Technology Debt: Technology Debt can be a real drain on IT and Security. Implementing Zero Trust initiatives will move towards more standardization and simplification as well as updating the currency of your infrastructure and software resources. Unpatched systems due to end-of-life support by vendors is a top contributor to the greatest risks facing organizations for data breaches.