Get the ‘Zero Trust’ approach to complete infosec

It has emerged as a comprehensive approach to all security issues. It sounds complicated but is quite simple, provided a few tips are kept in mind

The world has been talking about ‘Zero Trust’ as a comprehensive IT security strategy with a broad architectural scope covering cloud, on-premise, and hybrid environments as well as user endpoint devices. It’s also extensible to the Internet of Things (IoT) and operational technology spaces, particularly in mission-critical systems where Zero Trust security can be so important. So, while Zero Trust is achievable and based on premium security principles, implementing it can be a challenging and complex, multi-year, multi-phase undertaking with significant technical and organisational aspects to be coordinated.

Zero Trust is a strategic mindset that is highly useful for organisations to adopt as part of their digital transformations and efforts to increase security and resilience.

Zero Trust ultimately impacts the entire enterprise security architecture, security operations approaches and many organisational roles, responsibilities, and procedures. Not surprisingly, there are several different expert perspectives in this field as well as an increasingly large number of vendor products and service offerings for implementers to try and understand, procure, implement and integrate.

Given the extensive scope of Zero Trust, the numerous complex perspectives and service provider options available, with different levels of security maturity, and different business risks to consider, many organisations struggle with zero trust implementation, planning and execution.

WHAT IT IS, WHAT IT IS NOT

Zero Trust is a strategic mindset that is highly useful for organisations to adopt as part of their digital transformations and other efforts to increase security and resilience. Though it is based on long-standing principles, it is a simple approach to information security (InfoSec) that is often misunderstood and overcomplicated due to conflicting messaging within the security industry and a lack of established Zero Trust standards. Historically, InfoSec relied heavily on technical controls, with security models based on the ability to collect assets and surround them within a controlled physical perimeter. This is no longer the case.

Users were historically presumed to be “trusted” based on their location within the enterprise perimeter. It upends this concept by requiring verification, irrespective of location, before granting access to an asset. Zero Trust leverages long-standing principles like “never trust, always verify,” the concept of least privilege and the practice of segmentation to increase cyber hygiene, reduce total cost of ownership (TCO) and damage from incidents, and promote faster recovery times. By augmenting their existing security practices with Zero Trust principles, organisations establish a strong foundation for safeguarding their assets in complex and distributed environments. This proactive approach enhances security posture and minimises potential risks associated with the evolving threat landscape.

Zero Trust fosters resilience by providing a means to contain the “blast radius” and reduce the impact of any breach while facilitating quick recovery.

Zero Trust also recognises that breaches happen. To foster resilience, it provides for a means to contain the “blast radius” and reduce the impact of any breach while facilitating quick recovery. These same techniques increase the work and investment required by bad actors, further reducing the likelihood of incidents. Recent interest in Zero Trust is driven by new business models, the adoption of the Cloud, and new government requirements.

Moreover, Zero Trust recognises the holistic relationship between people, processes, organisations and technology, and that technical controls alone are no longer sufficient.

ADDING VALUE TO THE BUSINESS

When properly understood, the Zero Trust philosophy and strategy are valuable tools that organisations can use to enhance security, increase resilience, and guide digital transformation. And there are guiding principles that any organisation can leverage when planning, implementing, and operating Zero Trust. These best practices remain consistent across all Zero Trust pillars, use cases, environments and products. As expertise and industry knowledge mature, additional authoritative references such as guidance, policies and legislation may be added.

Zero Trust provides the required assurance through a combination of basic principles common to all Zero Trust initiatives. Organisations leverage Zero Trust to transform data and network cybersecurity management practices broadly.

Many Zero Trust management concepts have emerged, including principles, tenets, pillars, architecture plans and frameworks. While this evolution is a journey, transforming through Zero Trust is not equated to a single project (business, operations, technology) or a specific product.

Zero Trust is a mature methodology aimed at increasing the protection of critical assets in a highly distributed architecture. It requires upfront planning with all key stakeholders understanding that each ZT journey is unique. The greater the alignment with the business, the greater the likelihood of success in the Zero Trust journey.

Many organisations have changed their operating models to foster cloud adoption and remote work. Traditional security practices do not adequately address the new risk landscape this has created.

HOPPING ON THE BANDWAGON

Organisations seeking to improve their cyber resilience can no longer rely on a hard outer shell or solely on technical controls to mitigate their cyber risk.

The cyber threat landscape continues to evolve and expand beyond the capabilities of a traditional fortress model to defend. The scope of what needs to be protected has expanded as well. Businesses are no longer dealing with only IT assets and data. The scope has expanded to include devices, workloads, applications and business processes residing outside of IT. This is commonly referred to as Data, Applications, Assets, and Services, or DAAS for short.

By aligning the security architecture with the business operating model, organisations can transform their business while providing proper security without hindering business processes.

When accepted as a foundational concept, Zero Trust supports many other enterprise efforts like privacy, compliance and risk management. Zero Trust is not a standalone concept or technology. Rather, it is a comprehensive security strategy and approach that encompasses various principles, strategies, and technologies. It is designed to address the evolving threat landscape and the limitations of traditional perimeter-based security models.

Further, it is a common misconception that Zero Trust is perimeter-free. In today’s interconnected world, the perimeter is not as distinct or as solid as it once was. However, organisations cannot be relieved of their obligation to be diligent just because they cannot rely on a strategy that guarantees to keep the bad actors out and only allows the good actors in. Quite the opposite, as it is incumbent on organisations to define, monitor and control internal and external boundaries to protect their assets.

The journey toward Zero Trust is not a final destination; instead, it comprises iterative, incremental, and non-disruptive processes. Organisations should recognise it as a roadmap aligned with demands and outcomes for the Zero Trust strategy. Diversity exists in available capabilities and requirements. Shifting from theory to practice involves comprehending its implementation.

Last, but not the least, and this is important, businesses need to understand and build capacities, train people and make hands-on possible.

By Madhav Chablani

Madhav Chablani is Consulting CIO with the Healthcare Group and Chairman of Cloud Security Alliance – NCR (India).

feedbackvnd@cybermedia.co.in