ZERO TRUST

AND HOLISTIC CYBERSECURITY

What Zero Trust is and what it isn’t.

Zero Trust is a set of principles and strategies not a single solution for IT – don’t be persuaded otherwise! You will have many context-dependent implementations across your organization and ecosystem. The defense deployed depends upon on the specific threat.

Only when you look at Cybersecurity holistically, does it become blindingly obvious that Zero Trust is both an organizational and technical strategy and why it should shape your organization

The Cause - why Zero Trust has become and will remain critical.

The Hybrid Cloud (shown below), distributed workforces, supply chain and open source software weaknesses means the network perimeter no longer exists to be defended.

Exploitation

State-sponsored threats change daily: from Phishing/Ransomware-as-a-Service, Living-off-the-land attacks, lateral movement, insider and supply chain threats, etc. – and that’s just scratching the surface. They all prey on the vulnerabilities exposed by creation of the dynamic ecosystem shown above.

Why Now?

The cause and resulting exploitation above show why Zero Trust principles and strategies, when applied, have become so relevant. Although coined more than a decade ago,  Zero Trust today represents the only viable defense. 

Principles and Strategies

Zero Trust Principles:

Don’t Trust, Verify | Assume Breach | Access using Least Privilege | Prevent exfiltration of data as opposed to just preventing access to data.

Zero Trust Strategies:

Identity management and authentication of actors – users, software, devices | actor-specific policies, controls, management and enforcement | automated, constant, time-sensitive monitoring | prevention, testing and remediation

Holistic Cybersecurity and Zero Trust

Encompassing Organization and Technology

The best approach to eliminate hundreds of weak links is a holistic one that begins with the executive team, includes the whole organization and ensures proper delegation to external contractors and supply chains.
Zero Trust applies across the organization not just to Information Technology with only 32% of actions within IT. The remainder are distributed across the organization: Exec Team 15% Asset curation 14%, Operations 10%, HR 8%, etc., as covered in my book “Hey Who Left The Back Door Open?” A Holistic Approach To Cybersecurity https://amzn.to/3P7xb1U.

Deployment

Where Should Zero Trust Be Deployed?

The chart below makes it obvious why there cannot be a single Zero Trust solution! Map the diagram onto your organization, download the top ten list from cybyr.com, then read the book, and decide what matches the assets you need to curate and protect. 

Deployment of solutions that enforce and implement the strategies may span several locations over a Trusted Path or workflow, or at a single location and at various layers.