What does Cybersecurity mean in today's world? What is interesting about this mainstream topic is how many different meanings it has in the boardroom, IT department and across the business. Cybersecurity defines IT Security, Cloud security, perimeter security, malware countermeasures and many other areas that are not necessarily related to one another. However, we are all comfortable with using a single term to describe all of these as they are part of an organization's collective defense against cyber threats. Using that definition as a launching point, Cybersecurity is protecting an organization, information, and its assets from attack by cyber criminals or other malicious actors.
Zero Trust is an emerging cybersecurity best practice that is not new but has gained popularity in recent years with newly surfaced external attack vectors.
It is a new way of thinking about Cybersecurity, a mind shift for foundational security principles with design thinking. Still, it is not a modern technology or methodology for protecting organizations. Instead, it is a paradigm shift in how we approach security, and it can guide us through the many challenges we face today as threats become increasingly sophisticated and complex. Simply, it changes the quote "Trust but verify" into "Trust but verify continuously". This is a small but particularly important shift in the phrase that accurately describes the difference between Zero Trust and traditional cybersecurity practices.
In the past, companies had all their most important and sensitive data stored on-site, where they could establish a solid and secure perimeter, which means the firewall for their domain was heavily focused on. Of course, external actors must be verified, but once they are allowed into the domain, they essentially would have access to everything on the network.
Zero Trust still focuses on having a strong firewall, but once an external actor is allowed inside, they are only allowed to use what they have been given permission to use. An example of this is an individual on your marketing staff would not have access to the financial tools used by your finance department, and vice versa. So Zero Trust ensures that only the right users can get the right access to the right data for the right reason.
The Zero Trust model doesn't rely on any specific technologies or tools; rather, it opens up possibilities for how we secure our organizations by asking one simple question: Is this person or device trustworthy? The only way to know the answer is by verifying their identity before granting them access to sensitive data or resources.
As the regulatory environment changes, it is driving us to adopt new technologies. There is a strong push towards more efficient, agile, and cost-effective ways of protecting data. The regulatory environment also requires better controls over data in the cloud. The current trend presents an opportunity for companies that can meet these challenges with innovative solutions such as Zero Trust.
NIST and CISA have developed Zero Trust Maturity Models, but commercial companies such as IBM are also coming out with models and frameworks. The National Institute of Standards and Technology Special Publications 800-207: Zero Trust Architecture emphasizes preventing unauthorized access to data and services coupled with making the access control enforcement as granular as possible.
In the past, organizations could operate in a relatively isolated fashion regarding Cybersecurity. While there were efforts by multiple government agencies to increase security awareness and reporting of breaches, the threat was largely considered something that only impacted other organizations. However, that has changed over time, and the regulatory environment is driving us towards a more interconnected world. As cybercrime ramps up, the need for Cybersecurity will also rise.
The financial sector has been under increasing scrutiny from internal compliance teams and regulators over the last several years due to high-profile data breaches at companies like Equifax and JP Morgan Chase, which have resulted in millions of individuals having their personal information compromised. As such, many organizations are now required by their respective regulative bodies (e.g., U.S., EU) or internal business functions (e.g., finance) to obtain verifiable evidence they have mitigated identified risks through formalized risk management processes such as those outlined within ISO 27001:2013 or NIST SP800-53r4.
On May 12th, 2021, the White House released Executive Order 14028 on improving the nation's Cybersecurity. President Biden instructed the US to move towards Zero Trust Architecture with this executive order.
The executive order and the immediate need to switch to a Zero Trust architecture presents a shift from a location-centric model to a more data-centric approach for fine-grained security controls between users, systems, data and assets that change over time.
Organizations need an approach that allows them not only to comply with regulatory requirements but also to operate more effectively within their organizational context utilizing existing resources while reducing overall cost.
The answer is no. Zero Trust was created with a vision of security that extends beyond cloud-only solutions, and it's not just for applications, either. The principles of Zero Trust should be applied to users, data, networks, and systems across the enterprise. Saying Zero Trust was created for the cloud is akin to saying water is only used to water crops. While this is a component of what it does, it does not encompass the range to which zero Trust can and should be implemented.
The first step to achieving a Zero Trust environment is to take an honest and thorough look at your organization's risks. What are the threats? What are the vulnerabilities? What are the controls? What are your policies, or lack thereof?
Once you've done this risk assessment, you can begin to build out each of these areas to protect yourself from those risks.
Following NIST's migration plans for transitioning to Zero Trust, firstly, you should identify actors in the enterprise. Second, you should identify assets owned by the enterprise. Third, you should identify key processes and evaluate the risks associated with executing the process. Fourth, you should formulate policies for the zero trust architecture candidate. Fifth, you should identify candidate solutions. Sixth, you should deploy and continue monitoring your solution. (CISA ZTMM)
The Zero Trust maturity model represents a gradient of implementation across five pillars, where minor advancements can be made over time towards optimization. The pillars include Identity, Device, Network, Application Workload, and Data. Each pillar can progress at its own pace, allowing for the different allocation of resources towards protecting specific business processes while simultaneously moving towards optimization for the enterprise as a whole.
Your enterprise should develop clear business or mission objectives and positive outcomes. Determine and map the current state to the desired state, as you should have your start and end point for your transition to Zero Trust. Interview key stakeholders, determine which tools can be leveraged and replaced, and identify key services and low-hanging fruit that can be addressed easily. Design the migration plan, conduct a proof-of-concept test, and then begin implementation or transition to a Zero Trust architecture.
We see the Zero Trust big picture and understand the scale of change required –from networks and identity to changing the organization itself to work more adaptively. We understand the 'why' of Zero Trust and the 'how'.
Our independence ensures our credibility as trusted advisors. It enables us to provide clients unbiased advice on the pitfalls and challenges in implementing Zero Trust while still allowing us to bring the right technical skills to the table.
Our assessment and planning tool supports clients in choosing their Zero Trust journey, helping them make the right decisions along the way and flex the program to accommodate any changes during delivery.
We are passionate about partnering with clients on Zero Trust to work together to build innovative solutions and tackle the challenges head-on.