Zero Trust is a set of principles and strategies not a single solution for IT – don’t be persuaded otherwise! You will have many context-dependent implementations across your organization and ecosystem. The defense deployed depends upon on the specific threat.
Only when you look at Cybersecurity holistically, does it become blindingly obvious that Zero Trust is both an organizational and technical strategy and why it should shape your organization
The Cause - why Zero Trust has become and will remain critical.
The Network Cloud Ecosystem (shown below), distributed workforces, supply chain and open source software weaknesses means the network perimeter no longer exists to be defended.
Exploitation
State-sponsored threats change daily: from Phishing/Ransomware-as-a-Service, Living-off-the-land attacks, lateral movement, insider and supply chain threats, etc. – and that’s just scratching the surface. They all prey on the vulnerabilities exposed by creation of the dynamic ecosystem shown above.
Why Now?
The cause and resulting exploitation above show why Zero Trust principles and strategies, when applied, have become so relevant. Although coined more than a decade ago,Zero Trust today represents the only viable defense.
Principles and Strategies
Zero Trust Principles:
Don’t Trust, Always and constantly Verify | Assume Breach | Access using Least Privilege | Prevent exfiltration of data as opposed to just preventing access to data.
Zero Trust Strategies:
Identity management and authentication of actors – users, software, devices | actor-specific policies, controls, management and enforcement | automated, constant, time-sensitive monitoring to ensure ongoing verification and prevent trusted actors becoming threat actors | prevention, testing and remediation | automation is critical to ensure created assets are up-to-date and to elimate human errors.
Holistic Cybersecurity and Zero Trust
Encompassing Organization and Technology
The best approach to eliminate hundreds of weak links is a holistic one that begins with the executive team, includes the whole organization and ensures proper delegation to external contractors and supply chains. Zero Trust applies across the organization not just to Information Technology with only 32% of actions within IT. The remainder are distributed across the organization: Exec Team 15% Asset curation 14%, Operations 10%, HR 8%, etc., as covered in my book “Hey Who Left The Back Door Open?” A Holistic Approach To Cybersecurity https://amzn.to/3P7xb1U.
Deployment
Where Should Zero Trust Be Deployed?
The chart below makes it obvious why there cannot be a single Zero Trustsolution! Map the diagram onto your organization, download the top ten list from cybyr.com, then read the book, and decide what matches the assets you need to curate and protect.
Deployment of solutions that enforce and implement the strategies may span several locations over a Trusted Path or workflow, or at a single location and at various layers.
Zero Trust is a Journey
Finally, don’t be daunted. Zero Trust is not an overnight fix. It’s a constant journey that begins with asset curation to identify the most critical assets to protect first. Each action you take addresses your vulnerability, strengthens your weakest links and reduces your risks. Keep aware of new threats and developments such as those listed on the breaking news section of this site. Expand your understanding by reviewing the 160+ cybersecurity terms covered on this site. Use our Security as a Service software to measure your progress.