It’s been over a decade since the term “Zero Trust” was thrust into the cybersecurity lexicon.
This concept — perimeter-based defense is outdated and network activity needs monitoring outside the “castle walls” — has become a goal state for network security. However, implementation is still a challenge, and for more than a decade, Zero Trust has joined many other industry concepts on “to do, eventually” lists.
What needs to change for the industry to embrace Zero Trust? And why is it such a valuable concept when considering how to keep the world more secure?
What Are We Trying to Protect?
Taking a step back, we have a problem defining the “home” network we aim to defend. For decades, the model has been a perimeter setup, and ideally, everything within the perimeter is safe, while everything outside is kept at bay. Think of it like an M&M candy, hard shell on the outside, soft on the inside.
But the landscape has evolved over the last 15 years. Technologies and innovations such as cloud and software as a service (SaaS) have become more prominent, and critical assets exist far outside of company boundaries.
This means organizations must adjust their security strategies — and Zero Trust is the best way to address this shift.
Any strategy shift comes with the realities: cost, implementation timelines, efficacy, and other challenges. It can take considerable time for an organization to see the results of adopting Zero Trust, causing hesitation from board members who may be looking for solutions now.
The tech world is also extremely fast-paced; new or entrepreneurial-minded companies may be moving too quickly to wait for the fruits of adopting concepts such as Zero Trust. These challenges contribute to lower adoption rates than what the industry needs.
If we think of a security strategy like building a city, we can understand why this change has yet to be fully realized. Older cities in Europe have centuries-old blueprints for city planning: a central town square, surrounding dense areas of housing and businesses, and grid-system roads. This model served citizens well enough, but as society evolved, these models should too.
However, every leader may not have the time, desire, or resources to update their city for the modern world. Similar thinking applies to security decision-makers who may already have invested in one layout or one way of doing security. Even though they may know something new will be better, they may be hesitant to commit.
What would it look like if we were to build a new, modern city? There may be a better way to build cities or perform network security, but how do we do it?
Zero Trust: A Concept vs. a Product
Zero Trust is a framework or a concept; it’s not a product. There are products that help organizations achieve Zero Trust, but there is no singular plug-and-play solution.
While traditional thinking has multiple controls in place relying on one another if compromised, it’s simply not enough. In a Zero Trust model, assets do not communicate openly unless explicitly permitted to, creating an environment of reduced “cross-contamination” of security incidents where the damage is isolated.
Zero Trust cannot prevent organizations from being compromised, which is impossible in today’s threat landscape. However, it can effectively reduce damage, address and identify threats earlier, and decrease remediation time when triaging incidents. Think of it like healthcare; you can never totally prevent getting sick or injured, but you can do things to help, like exercise, eat better, and regularly visit the doctor.
CISO Pressure
Chief information security officers (CISOs) seem to be held to an impossibly high standard, often facing job loss or other consequences when their organizations deal with breaches or security incidents.
Simply put, CISOs remain under intense pressure, and adopting a new security framework may not be feasible under the other constraints of the role.
A few things come to mind that may help with this:
- Government support may serve as an outside influence to encourage the adoption of Zero Trust, help drive change, or create a further rationale for CISOs with their boards.
- Much institutional knowledge is lost when CISOs are let go after security incidents. Less pressure on the CISO and more time to implement frameworks like Zero Trust would help immensely. Similarly, the CISO community needs to communicate strategies and ideas to help each other grow.
- Explaining concepts such as Zero Trust in ways that resonate with board members and the nonsecurity C-suite would help create wider adoption.
The Future
If your organization is considering a Zero Trust model, simply look at the phrase itself. What if you didn’t trust any network activity? What if you put protections in place to prevent cross-contamination? What if assets were only available to those who need to use them, not everyone in your organization?
Zero Trust isn’t a plug-and-play solution, but an ongoing investment and journey. It demands dedication, perseverance, and reframing of C-suite preconceptions. Over a decade since its inception, Zero Trust is a CISO’s foremost ally in curbing the rising wave of cyberattacks and keeping critical assets safe from compromise.
As we look ahead, cybersecurity MSPs must join forces to foster a widespread, cross-sector adoption of Zero Trust principles.
Harold Rivas is chief information security officer (CISO) of Trellix.
Image: iStock