“Trust is the lubrication that makes it possible for organizations to work.”
Clearly, Mr. Bennis didn’t work in cybersecurity. 😬
In fact, being too trusting of activity happening in your IT or managed environments is downright dangerous.
Recent cyberattacks prove that a breach or exploit can cost a business far more than money. For example, reputation and credibility are often permanently tarnished as fingers are pointed following an attack. In the long run, it’s easier (and less expensive) to scrutinize, question and verify the validity of everything happening in your network.
There’s a name for that approach to cybersecurity: Zero Trust.
What Is Zero Trust Security?
The National Security Agency (NSA) has a pretty intricate definition of Zero Trust:
“Zero Trust is a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgment that threats exist both inside and outside traditional network boundaries.”
The Agency goes on to emphasize the elimination of implicit trust in this model:
“The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information fed from multiple sources to determine access and other system responses.”
In simpler terms, the Zero Trust Security Model disregards implicit trust and reverses the philosophy of trust, then verify. In the Zero Trust Security Model, trust must be earned across all people and devices, whether they’re internal or external to a network.
Why Zero Trust?
At first glance, it may seem like Zero Trust is almost too mindful of threats. No user or device inherits implicit trust. Why all the extra concern?
There are quite a few good reasons to adopt a Zero Trust approach to security.
1. Cybercrime Is Expensive
Not being cautious enough is far more expensive than being overly cautious.
Cybercrime is predicted to cost the world $10.5 trillion annually by 2025—representing what will be the third-largest economy in the world. Threat actors are experts at finding their way into secure environments—it’s what they do. It makes it that much easier for them when all they have to do is gain entry into an environment to garner immediate trust network-wide.
2. Today’s Remote Workforce Demands It
Another reason to adopt a Zero Trust mindset is to keep up with the demand from today’s largely remote or on-the-go workforce.
In years past, cybersecurity looked completely different from how it looks today. Companies contained their network of systems within corporate data centers, and employees largely accessed these systems by logging into a secure network on-site. It’s just not like that anymore.
Nowadays, many organizations rely on a mixture of on-premises and cloud-based systems to house their applications, which are then accessed by employees and other stakeholders—sometimes from different locations across the globe. Now, it’s more the exception than the rule when a cybersecurity specialist can walk across the hall to make sure a failed log-in attempt was only an accident by an authorized user and not something—or someone—more malicious.
3. It Helps to Identify Shady Wooden Horses
Need another reason to be open-minded about Zero Trust? Let’s talk about the Trojan War. (No, really.)
Though a tale from Greek mythology, the Trojan War gives us a pretty good example of why Zero Trust makes sense in today’s cybersecurity landscape. The story goes that the Greeks used a wooden horse—a Trojan horse—to infiltrate the city of Troy to win the war. A number of soldiers hid inside the horse, and the horse was pulled into Troy to mark what the Trojans believed was their victory—that is, until the Greek soldiers snuck out of the horse and destroyed the city of Troy.
Similarly, your network receives many “wooden horses” over time in the form of application updates, vendor updates and other items that typically scream business as usual. You don't want threat actors to hop out of one of those wooden horses and wreak havoc on your environment when you're not looking.
Without a Zero Trust mindset, your team would fully trust these updates and not think anything of them—and that’s exactly how the mass exploitation of on-prem Microsoft Exchange servers happened in March 2021. Few people without a Zero Trust mindset figured they’d need to double-check an update from Microsoft—a generally trusted security vendor. As a result, the updates went through, and boom—their servers were compromised.
A Zero Trust approach, on the other hand, would have required careful verification of the updates after they were installed, checking system and network functionality against recorded baseline measurements. The exploit could have been caught much earlier with a Zero Trust mindset—and much of the damage could have potentially been mitigated.
Getting Started with Zero Trust Security
Zero Trust is as much of a mindset as it is architecture. To implement the Zero Trust Security Model, you have to fully embrace the mindset that nothing is safe until it’s proven to be safe and to err on the side of assuming compromise.
Operationally, the Zero Trust Security Model requires the following:
- Defining mission outcomes, including the organization’s critical data, assets, applications and services (DAAS)
- Designing from within, meaning to begin with protecting the DAAS and then securing the paths to access them
- Creating access control policies to the DAAS to give required access to the people and applications that need it to perform their respective duties
- Inspecting and logging all traffic to monitor activity across endpoints and flag anything suspicious
Want to learn more about how to get started with adopting the Zero Trust Security Model? We recommend these resources: