Share this article on:
A recent study by CyberRisk Alliance revealed some surprising statistics about zero trust security. While the term has been around for the last 30 years, only 35 per cent of the security leaders polled were familiar with the practice, Dave Russell and Rick Vanover at Veeam write.
More surprisingly, despite the gradual rise of security incidents, the same percentage were highly confident in their zero trust capabilities.
While interest in zero trust has grown, many security leaders appear to be confused about how they should implement it. There is a misconception that zero trust is a plug-and-play feature but the reality is far from that — it essentially changes the way people work.
The concept of zero trust is simple: “[N]ever trust, always verify.” It may seem harsh to users that are used to having easy access to information, but it’s a sound policy. We prefer to use the phrase “mutually suspicious,” which is similar. It means, in effect, “Here’s who I am; you prove to me who you are.”
The truth is that to a certain degree, this practice and term are old, dating back to the era of minicomputers and mainframes. It’s all about requiring good digital hygiene. What has changed is, our environment has shifted and expanded. Now, with cloud, edge devices and data centres opening up more end points to attack, organisations have to rely on more than firewalls to keep intruders out and data safe.
Organisations need to align their processes and people, along with their products, to achieve true zero trust.
Implementing such products are a straightforward step. Essentially, what’s needed is a full line of security technologies that verify identity, location and device health. The main objective is to minimise the blast radius and limit segment access. While there is no single product or platform that accomplishes all these goals, a successful zero trust program will incorporate elements of identity management, multifactor authentication and least-privileged access, setting restrictions and additional steps to access information.
Involving people
Today, zero trust technologies are available to cover all attack surfaces and protect organisations, but they are as useful as the people using them, so aligning company success and security with employee success and security is critical. This means prioritising a culture of open communication, implementing policies, transparency, trust in the process and faith in each other’s ability to do good.
To successfully implement zero-trust technology into a corporate culture, organisations need to involve employees across all levels in the process. Don’t just roll out a top-down mandate and expect it to click. Employees should be properly briefed on the process of zero trust, how it impacts their workflow and the benefits it brings to the company. Setting them up for success and educating them on what to watch out for can move the adoption of zero trust.
By engaging employees and challenging them to embrace a healthy dose of scepticism towards potential threats, employers form a level of defence when it comes to protecting data. Once employees understand what’s going on and the value of zero trust, they too begin to feel trusted and are empowered to be part of the broader cyber security network. This empowers employees to proactively identify insider and outsider threats to the enterprise, covering all surfaces and fostering good security hygiene.
Reassessing processes
One of the most important moves an organisation can make is to define and assess every aspect of its data security environment. From identifying where all of the organisation’s unstructured data is stored to what business purposes specific data stores serve, knowing who has access to it and what kind of security controls are in place helps allow for better security. A thorough permissions assessment will help guide the development of a comprehensive access management policy. Some assets will require zero trust protection; others won’t. All devices that connect to a network will need to be accounted for, so they can fend against outside phishing attacks.
One key tech mechanism that can help organisations in a zero trust world is immutability — creating data copies that can’t be modified or deleted. This ensures organisations don’t lose data or allow it to end up in the wrong hands.
An overlooked practice is to define a common zero-trust framework for the whole organisation. Teams should be aligned on what zero trust is and ensure that this definition is applied across all projects and employee levels.
Last, and perhaps most important, is the need to reassess and revise their zero trust processes. Zero trust is an ongoing process and should be treated as a regular routine. Think of it like going to the gym: exercise becomes a way of life, and active people tweak their workout routines all the time. Same with security. Zero trust is a continuum. You’re never done.
Staying flexible
Threatscapes will continue to evolve over time. Organisations taking a zero trust approach will need to continue to develop a comprehensive plan — and then continually revise their technologies, processes and people practices to meet their future needs.
Dave Russell is the vice-president of enterprise strategy at Veeam and Rick Vanover is the senior director of product strategy at Veeam.