Achieving Zero Trust Is a Journey, not a Destination
By Christopher R. Wilder
Research Director and Senior Analyst, TAG Cyber
This is the first of a series of five blog posts by analysts from TAG Cyber, a trusted cybersecurity research analyst firm, providing unbiased industry insights and recommendations to security solution providers and Fortune 100 enterprises.
Zero Trust establishes network trust as a vulnerability and must continually verify every user, device and connection for every transaction or interaction.
Zero Trust is one of the most consequential shifts in enterprise cybersecurity strategies. Traditionally, cybersecurity models were centralized, working with the assumption that every user should be trusted and their identities are not compromised. In this scenario, once a bad actor gets access, they can operate at will.
Conversely, Zero Trust assumes everything on the network is a threat. As more businesses move their infrastructure to a hybrid cloud and work environment, having a rigid network perimeter is no longer adequate. The shift to remote work, along with changes in how an organization provides its customers and partners with an enhanced digital experience, have resulted in IT and security teams supporting thousands of applications, databases and individuals connecting from home computers outside an IT department’s control.
Many enterprises currently operate with a poor patchwork of legacy security solutions and outdated tools that lack integration. As a result, security teams spend more time on manual tasks, lacking the experience, context and insight to reduce the organization’s attack surface.
Trust is Vulnerability
Zero Trust focuses on addressing the security needs of hybrid cloud environments by providing organizations with adaptive, continuous and proactive protection for users and data. In other words, Zero Trust establishes network trust as a vulnerability and must continually verify every user, device and connection for every transaction or interaction.
Applying a Zero Trust framework also helps defenders gain insights across their security business. They can enforce security policies consistently to detect and respond to threats faster and more precisely.
The Journey to Zero Trust
There are as many approaches to Zero Trust as solutions in the market, but there is no argument that Zero Trust requires a broad portfolio of security solutions. There are three key requirements for security teams wishing to take a Zero Trust approach.
- User Identity and Access: At the core of Zero Trust, multifactor authentication (MFA) helps teams manage and understand who requests access. Having a detailed access and identity policy structure confirms which resources each user can access based on their identification. MFA and single sign-on (SSO) solutions are essential, and it is important for teams to support other access points, such as portals, remote desktop protocols (RDP), mobile device management (MDM), Virtual Private Networks (VPNs), reverse proxies, etc.
- Data & Application Security: Even with a strong identity and access policy and measures, data and applications are still open to breaches, even if the data is at rest or in transit. End-to-end encryption, automated backups and hashed data are effective ways of incorporating Zero Trust methods. Furthermore, hosted services and Software as a Service (SaaS) solutions create additional enterprise vulnerabilities. We believe SaaS solutions present other security risks, especially with compliance and third parties, so SaaS providers must enact Zero Trust methods.
- Context of Access is Key: Deploying a Zero Trust approach requires enhanced output beyond traditional binary authentication protocols such as login and password. Zero Trust associates details and traits to verify who is connecting, as well as the context of their relationship and access to the network. Each enterprise has various requirements to ensure access and context are applied across the entire organization. It is important to know the differences between information and context; each relies on the other and is essential when making decisions, but context makes information actionable and a foundation for Zero Trust environments.
As cyber threats grow more sophisticated, they aim to inflict as much damage as possible while avoiding detection. Determined hackers will target any vulnerability within the enterprise. If an attacking force can break into the network at a weak point—through an application, for example—this shouldn’t lead to catastrophic system collapse. Organizations pursuing a Zero Trust approach take advantage of advanced security functionality to protect all systems, users, workloads and endpoints. Finally, Zero Trust enables security and IT teams to focus their time and efforts on driving the digital transformation that makes their company more competitive, as well as providing a better user and customer experience, instead of dedicating valuable time and resources to fighting attacks.
Christopher R. Wilder
Research Director and Senior Analyst, TAG Cyber