Shifting to a zero-trust mindset

John N. Panes

As the world continues to operate under remotely while grappling with the pandemic, the danger of cyberattack remains a constant threat. The current situation has resulted in people using their own devices and networks to ensure business continuity from anywhere, but these are not as secure as corporate systems and connections, and cybercriminals are not letting these easy opportunities pass.

Data security is more critical than ever, with traditional data protection techniques functioning under a “trust but verify” strategy. This perimeter-driven paradigm entrusts its internal users with unobstructed network access and provides security controls only for external or untrusted networks. However, this introduces the issue of misplaced trust that can lead to the IT landscape of an organization being exposed to vulnerabilities.

With organizations dramatically accelerating their transformation journey, effective cybersecurity that expands beyond the organizations’ territories becomes even more significant — and this is where the concept of zero trust comes in.

Zero trust is a security model based on the principle of maintaining strict access controls without trusting anyone by default, including internal users. Everyone is trusted by default in a traditional IT network, and once an attacker gets inside the network, they are free to move and gain access to protected customer data, intellectual property, or network controls. Zero-trust application security understands that attackers can be present both within and outside of a network, which is why zero-trust policy enforcement dictates that no user should be trusted automatically.

With effective zero-trust frameworks in place, organizations can enforce several critical steps as part of their arsenal to reduce cyber risk while establishing access and identity controls.

THE NEED TO ADAPT ZERO TRUST

Newer organizations are now adapting this model as it requires a simpler approach but at the same time yields ever stronger security controls.

The “trust but verify” strategy is no longer an option as targeted, more advanced threats are now capable of moving inside the corporate perimeter. Because of the nature of remote working, accessing applications from multiple devices outside of the business perimeter has become even more prolific. This results in the increasing risk of exposure to data breaches, malware and ransomware attacks.

The zero-trust paradigm requires organizations to continuously analyze and evaluate the risks that involve their business functions and internal IT assets, then form strategies to mitigate them. The zero-trust model also restricts access by only providing access to users who need it while depending on whether they successfully authenticate each access request. The purpose of this process is to help eliminate unauthorized access to services and data while employing a positive security enforcement model. Because it uses a different lens to view data protection, the zero-trust model allows certain criteria that govern access and restrictions.

 

STEPS TO START THE ZERO-TRUST JOURNEY

The looming challenge for these organizations actually involves where to start. They can begin their zero-trust journey with three simple steps, starting with building a zero-trust center of excellence. This entails creating a cross-functional working group of all the teams that will be working together on a zero-trust architecture. This includes cybersecurity and IT teams that will handle actual deployment, as well as business leaders who will help define the necessary business objectives to ensure successful implementation.

Second, the center of excellence will need to engage in workshops to ensure that everyone is aligned and understands the basic concepts of this model, the business objectives of the organization, and what to protect — data, applications, assets, and services (DAAS). The prototype zero-trust network can be planned during the workshop to allow IT and security practitioners in the organization to better move to a more formal design phase.

Third, start with something low-risk, instead of proceeding ahead with the “crown jewels” of the organization. Deploy zero trust first in an environment where implementation teams can get hands-on experience and develop confidence as they build this simpler but more secure network.

MAXIMIZING DATA SECURITY WITH ZERO TRUST

While there are many misconceptions surrounding the zero-trust architecture model, from its overall functionality to implementation, organizations can focus on five major aspects identified by Murali Rao, EY India Cybersecurity Consulting Leader, to better maximize their data security.

Prioritize top risks. Organizations must understand the attack surface and threat landscape to qualify risks, before prioritizing the ones that will need the most focus.

Enterprise-wide policy. Organizations will need to set policies according to the sensitivity of services, assets and data housed. The potential of zero-trust architecture relies on the access policies that organizations define.

More granular network enforcement. Organizations must always assume that the network is hostile, and that they cannot trust any user or incident. This will mean removing implicit trust from the network and building trust into devices and services.

Implement the zero-trust network based on an inside-out view. Organizations need to include zero-trust architecture as part of their overall transformation strategy. They will also need to implement technologies that help achieve zero trust as their transformation moves them more to the cloud and retires old legacy systems.

A strong Identity and Access Management. Organizations need to work on the authentications of their workloads, devices and users. Technologies such as privilege ID management, multifactor authentication, behavioral analytics and file system permissions must be enforced based on defined rules to minimize the compromise of trust.

THE KEY TO SUCCESSFUL ZERO-TRUST ARCHITECTURE ADOPTION

Breaches that result in lost or stolen data cost organizations significant financial and reputational damage. The zero-trust model aids in both simplification and standardization of access control enforcement across an enterprise with improved compliance and the continuity of critical business processes, and it is most effective when integrated across the entire digital IT estate.

In an era where customers, partners and the supplier ecosystem access data and services from literally anywhere, applying a zero-trust model reduces the risks of security issues that arise due to how organizations often lean on perimeter-based approaches.

This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinions expressed above are those of the author and do not necessarily represent the views of SGV & Co.

John N. Panes is a manager from the Technology Consulting practice of SGV & Co.

Leading the way in business

Other SGV News and Publications