The true meaning of zero trust

Image by Freepik

Cybersecurity and data protection have quickly become top boardroom priorities for global enterprises after a record year of devastating and costly attacks like SolarWinds and Colonial Pipeline.

C-suite leaders who were not previously responsible for security are now tasked with ensuring data breaches — including ransomware attacks — and their million-dollar price tags do not jeopardize their organizations. As pressure increases, they are wisely looking to experts for guidance, many of whom are external consultants and other similar industry experts.

These people often provide checklists and best practices for what is most important in cyber security, but these lists often boil complex IT concepts down into easy-to-digest soundbites — marketing copy usually based on the latest buzzwords. In this regard, one particularly widely misused and especially problematic buzzword is zero trust.

Zero trust really is not a new concept, but the term is now being used in many different ways and contexts. I see it being used for everything from product and company names to broader technology categories to functionality — it is everywhere.

With all this use and, frankly, misuse, the true meaning has become blurred and confused. A particularly troublesome misconception is that zero trust can be bought or downloaded as a single product. This marketing is wrong and misleading.

In reality, zero trust is not simply a product or service — it is a mindset that, in its simplest form, is about not trusting any devices — or users — by default, even if they are inside the corporate network. Zero trust encompasses many technologies, products, practices and features that need to be built into not only products and services, but company-wide culture and processes.

What concerns me most about the confusing use and misuse of zero trust, including productizing the term, is how it tends to make companies think their data is safe because they have implemented a “zero trust” product when, in fact, they are still extremely vulnerable because a single product or solution alone does not equal a zero-trust posture.

Here is what organizations must actually do to implement a zero trust charter:

Organization-wide commitment: Departments across the entire organization must agree on priorities and parameters and align on access and security policies. Every single connection — from data to users and devices to applications, workloads and networks — must be architected with a zero-trust strategy and must have the ability to evolve as needed.

Cross-functional leadership: Create a dedicated cross-functional zero trust team tasked with planning and implementing a zero-trust migration. This team must include members from application and data security, identity governance and network and infrastructure security, but should also involve other areas of IT, too. The team should do regular inventory assessments to guide governance and enforcement, which requires full support from leadership.

Process and policy: Ensure the right processes and procedures are in place for identity governance. Another important element in this vein is limiting access to backups, especially backups of business-critical data, and strategically assigning access only to groups that need it.

Training and culture building: Make it easy and transparent for all employees to get educated and informed. Require zero-trust training for all employees, partners and vendors, so the mindset is set across the entire organization and value chain.

Product and tool alignment: Look for technology that has the zero-trust concept built into every part of its platform rather than tacking “zero trust” on as a feature or benefit. The technology you need helps monitor access, privilege controls and systems hardening and provides complete visibility through mechanisms like micro-segmentation and device access controls.
Monitor and maintain: Regularly review and refine your zero trust strategy — never forget that it has to be an iterative process.

As the latest buzzword, we will undoubtedly continue to see zero trust used and misused in many contexts. Remember, a true zero trust posture cannot come from a single product or solution, even if it is marketed that way. In reality, zero trust is an ongoing iterative process based on the principles outlined here that must always be evolving.

Sonya Duffin is a cyber resilience and data protection expert at Veritas Technologies. With a background in both the private and public sectors, she currently focuses on communicating complex topics like ransomware-related legislation and cybersecurity hygiene best practices to users in a way that translates into actionable strategies to better protect data. Duffin completed both her undergraduate and graduate studies at Santa Clara University.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

Employees don’t feel prepared to navigate an increasingly dangerous world, and they expect their employers to not only care about their personal safety, but to actively keep them safe.