Zero Trust is not a tool or a security solution. It’s a strategy that is effective against ransomware, breaches and insider threats. It is based on the original Forrester Research tagline: “Never Trust, Always Verify” and the premise that you assume you will be breached.
This allows you to put the proper solutions in place to rollout an effective Zero Trust strategy that will dramatically improve your organization’s security posture.
Here is a excerpt from a recent ZDNet article that goes further in distinguishing the difference between a Zero Trust strategy and what many vendors are describing in the marketplace as a toolset or a solution.
Zero Trust eXtended ecosystem (ZTX) is both technology and non-technology pieces. Protecting the perimeter and other prior security strategies didn’t easily adapt to change because they were designed around monolithic point solutions that didn’t integrate with each other. Zero Trust, however, is designed to be in a state of continuous review and optimization.
The fluid, integrated nature of Zero Trust is designed to easily adapt to business changes. Organizations need to be cautious about vendor messaging, dive into details about vendor offerings, and call them out when the technology they’re pitching seems too good to be true.
Ask the vendor you’re considering where the capability they’re describing fits in the ZTX ecosystem. If they can’t describe it, it’s a very clear sign that they don’t understand Zero Trust. Security vendors need to update their messaging to reflect the reality that Zero Trust is a journey that’s different for every organization and stop advertising Zero Trust as a product that can be bought. By selling their solutions as Zero Trust easy buttons, they continue to set their customers up for failure by perpetuating this false paradigm.
There are several pillars to a proper zero trust strategy and it is often hard to figure where to start, but in practice we see many start with identity and access management, so they are able to authenticate and determine, who, with what (device) and where (location) there are before granted access to the network and its many resources. If there is a breach or some one is able to improperly gain privileged access then they have an audit trail and ability to stop further access.
Micro-segmentation is often next and one must decide whether to segment by application or geographical region or by some other designation. This is important to stop any East-West horizontal movement once a breach or improper access has been given. For example, they may get access to a marketing application and its data, but not the financial apps and their often critical data.
Zero Trust is a strong strategy for any organization regardless of whether it is public or private sector and it provides additional protection to leadership as it show that their due-care responsibilities were greater than industry average and that they did take steps to properly protect the organization.