AND HOLISTIC CYBERSECURITY
What Zero Trust is and what it isn’t.
Zero Trust is a set of principles and strategies to prevent data breaches and cyber attacks. That’s it.
It’s not a single solution for IT, etc. – don’t be persuaded otherwise. You will have many context-dependent implementations across your organization and ecosystem. The defense deployed depends upon on the specific threat.
Only when you look at Cybersecurity holistically, does it become blindingly obvious that Zero Trust is a mind set, an organizational and technical strategy and why it should shape your organization’s thinking.
The Cause - why Zero Trust has become and will remain critical.
The Network Cloud Ecosystem (shown below), Network as a Service, distributed workforces, supply chain and open source software weaknesses means the network perimeter no longer exists to be defended.
State-sponsored threats change daily: from Phishing/Ransomware-as-a-Service, Living-off-the-land attacks, lateral movement, insider and supply chain threats, etc. – and that’s just scratching the surface. They all prey on the vulnerabilities exposed by creation of the dynamic ecosystem shown above.
The cause and resulting exploitation above show why Zero Trust principles and strategies, when applied, have become so relevant. Although coined more than a decade ago, Zero Trust today represents the only viable defensive approach.
Principles and Strategies
Zero Trust Principles:
Never Trust, Always and constantly Verify | Assume Breach | Access using Least Privilege | Prevent exfiltration of data as opposed to just preventing access to data.
Zero Trust Strategies:
Begin with a top level Security Policy to decide what should be protected and curate those resources to create resilience to your sritical assets.
Then understand your deployment of Identity management and authentication of actors – users, software, devices | actor-specific policies, controls, management and enforcement | automated, constant, time-sensitive monitoring to ensure ongoing verification and prevent trusted actors becoming threat actors | prevention, testing and remediation | automation is critical to ensure created assets are up-to-date and to elimate human errors.
Step-by-step, form an ongoing Zero Trust strategy for your journey, measure your progress. Rinse and repeat.
Holistic Cybersecurity and Zero Trust
Encompassing Organization and Technology
The best approach to eliminate hundreds of weak links is a holistic one that begins with the executive team, includes the whole organization and ensures proper delegation to external contractors and supply chains.
Zero Trust applies across the organization not just to Information Technology with only 32% of actions within IT. The remainder are distributed across the organization: Exec Team 15% Asset curation 14%, Operations 10%, HR 8%, etc.
Where Should Zero Trust Be Deployed?
The chart below makes it obvious why there cannot be a single Zero Trust solution! Map the diagram onto your organization, download the top ten list from cybyr.com, then read the book, and decide what matches the assets you need to curate and protect.
Deployment of solutions that enforce and implement the strategies may span several locations over a Trusted Path or workflow, or at a single location and at various layers.
Step-by-Step, starting with the most important areas to protect, map the access and flows to and through each point, plan the Zero Tust elements and monitoring. Bake this into your Security Strategy.
Zero Trust is a Journey
Finally, don’t be daunted. Zero Trust is not an overnight fix. It’s a constant journey that begins with asset curation to identify the most critical assets to protect first. Each action you take addresses your vulnerability, strengthens your weakest links and reduces your risks. Keep aware of new threats and developments such as those listed on the breaking news section of this site. Expand your understanding by reviewing the 300+ cybersecurity terms covered on this site. Use our Security as a Service software to measure your progress.