Zero trust architecture has become a buzz term in the cybersecurity landscape. Its development came from the realization that traditional security models were operating on outdated assumptions that everything inside an organization’s network should be trusted implicitly. With implicit trust, any user, once on the network, could move through it to access or exfiltrate data since no security controls existed. It’s a revolutionary way to think about cybersecurity for an organization and one that creates a disruption into business as usual.
But isn’t that what cybersecurity needs? I’ve been in the field for decades and authored a book about turning cybersecurity operations on their head. The reality is that we’re losing the cybersecurity war to hackers and threat actors. While my book focuses a lot on the professionals doing the job and their lack of valuable people skills, which causes the risk to increase, zero trust architecture should be part of the conversation on the next generation of cybersecurity.
What Is Zero Trust Architecture?
Zero trust architecture describes a strategic approach to cybersecurity that enables an organization to be secure by eliminating implicit trust and replacing it with continuous validation. Its beginnings sprung from the “never trust, always verify” principle. The design of the architecture is for modern environments in a modern world.
Zero trust architecture can play a critical role in digital transformation and leverages robust authentication methods, network segmentation, lateral move prevention, Layer 7 threat prevention, and granular simplification.
How Zero Trust Architecture Fits the Modern Business Landscape
Most companies, regardless of if they are digital natives, are striving toward digital transformation goals. There was a significant acceleration of this in the past two years due to the pandemic. The shift to hybrid work, migration to the cloud, and adaptation of security operations mean that zero trust architecture is having a big moment.
When set up and deployed correctly, this type of architecture provides higher overall levels of security while simplifying security complexity and operating overhead. This point is of major importance. Simplification of architecture doesn’t mean that it’s “less than” in any way. Rather, it’s about getting back to the basics.
Simplification is a big part of my book, The Smartest Person in the Room. Unfortunately, cybersecurity professionals tend to overcomplicate everything. Often this happens because of insecurities and the desire to be the smartest person in the room. If cybersecurity appears complex, they are always in a position of power. Zero trust architecture takes care of simplification so that a company can reinvent its security posture and culture.
So, how does an organization transition to this architecture and become a zero-trust enterprise?
How Does Zero Trust Security Work?
Establishing zero trust involves having visibility and control over the environment’s users and traffic. That covers the entire spectrum, including:
- What’s encrypted
- Monitoring and verification of traffic within the environment
- Strong multifactor authentication (MFA) methods (not just passwords!)
This architecture also changes segmentation. It’s no longer rigid network segmentation at play. Instead, data, workflows, services, and everything else receive protection with software-defined micro-segmentation. As a result, everything is secure anywhere.
The Core Concept of Zero Trust
In this approach, the foundation of the strategy is to trust no one and assume everything is hostile. That’s a substantial change from traditional network security models that rely on centralized data centers and secure network perimeters. They grant access based on approved IP addresses, ports, and protocols. However, it’s easy to see why this setup just doesn’t fit the real world of cybersecurity. Hackers are too good these days. Infiltrating from the inside is something they do well.
Continuing to stay the course with these outdated security models heightens risk. While it may seem like a no-brainer to transition, the problem may be with your cybersecurity team. As I discuss in my book, technical folks are often resistant to any type of change. They may “fear” the move to zero trust, not because they don’t believe it will work, but because it’s outside of what they “know.” And that can be an even bigger threat to you than hackers.
With zero trust, there is no trust. The architecture treats all traffic, even that within the parameter, as in need of validation. It blocks workloads until such validation occurs. Protection is now environment-agnostic, enabling secure connections for users, devices, and applications.
Along with this core concept, there are more principles of the Zero Trust Model.
The Three Principles of the Zero Trust Model
It’s essential to remember that zero trust is a cybersecurity strategy to build your ecosystem. It goes beyond user identity, secure access, and segmentation. Its three tenets are:
- Terminate every connection: Every connection terminates to allow an inline proxy architecture to assess all traffic, including encrypted traffic, in real-time before reaching its destination. It’s a much different approach than firewalls, which inspect files as they are delivered and then detect if they’re malicious. At that point, it’s too late. You have more control over traffic, which helps prevent malware and ransomware.
- Protect data with granular, context-based policies: A zero trust policy will verify access requests and rights through context, such as identity, device, location, content type, and application requested. These policies are adaptive, meaning access privileges undergo continuous reassessment when the context changes.
- Reduce risk by eliminating the attack surface: In zero trust, users connect directly to apps and resources they need — never to networks. This process removes the risk of lateral movement, preventing compromised devices from infecting others. Additionally, users and apps are invisible to the internet, so they aren’t discoverable for an attack.
Based on these principles, you can see that zero trust takes a new perspective on cybersecurity. In transforming your architecture in this way, you can also shift the mindset of your cybersecurity professionals.
Mindset is a vital aspect for cybersecurity professionals. It’s part of the Secure Methodology, which is a seven-step guide to transforming technical folks into excellent communicators and collaborators that welcome change and evolution. Getting cybersecurity professionals to adjust their fixed mindsets to growth ones is another crucial step to adopting zero trust architecture.
One way to facilitate this is by understanding the benefits of the approach.
The Benefits of Zero Trust that Will Interest Cybersecurity Professionals
There are many benefits to zero trust that the entire enterprise can reap. But what’s “in it” for the cybersecurity team? Will this change make them fearful and resistant? How do you get them on board?
No security position is 100% secure, and the risk of breach will always be present. The key point to hammer in on for cybersecurity professionals is reducing the attack surface. That’s something they can quickly grasp and see the advantages of without much pushback. With a reduced surface, mitigation of the impact and severity of cyberattacks is achievable.
Another benefit they can immediately understand is how zero trust is the most effective method for cloud security. It doesn’t trust any connection without verification. Your organization’s data sprawl and cloud computing are only increasing. Zero trust offers a path to being safer from end to end.
Finally, you just have to let them know it will make their life easier. No matter how resistant to change, cybersecurity professionals can’t argue with something that removes burdens from their plate. They might argue, but they must understand that this is in their best interest. The level of visibility that zero trust provides will deliver a much easier day-to-day workload.
Zero Trust Architecture and Its Impact on Cybersecurity Operations
Beginning the move toward zero trust begins with two questions:
- What are you trying to protect?
- From whom are you trying to protect it?
These are similar to the questions I talk about in my book that are the kickoff of any cyber project. Again, it goes back to the notion of simplification. These questions embody everything about cybersecurity.
When you have the answers to these questions, they’ll inform your strategy and architecture design. In most cases, it will involve layering technologies and processes on top of the strategy.
So, when does zero trust architecture make sense for an organization?
It’s prime for any use case with infrastructures that include multi or hybrid clouds, unmanaged devices, legacy systems, and SaaS apps. Further, it’s a vital component in preventing ransomware, supply chain, and insider attacks.
Implementation of zero trust has three main stages:
- Visualize: Define all resources and their access points, then determine the risk.
- Mitigate: Detect and prohibit threats or reduce the impact of a breach in case threats cannot be immediately stopped.
- Optimize: Extend protections across the entire infrastructure and all resources, regardless of where they are while ensuring a seamless user experience for end users, IT, and security professionals.
That’s just the condensed version of stages, so you’ll want to flush out these stages in your strategy.
Is Zero Trust Your Next Cyber Move?
Evolving your cybersecurity operations involves architecture enhancements like zero trust, but it’s not something that will solve all risk problems. You must evolve your people as well. To learn more about how to do that in tandem with architecture transformation, read The Smartest Person in the Room.