Zero Trust Security Explained: What, Why And How
Posted December 23, 2022 by Sayers
Traditionally, organizations have approached cybersecurity by defending their network perimeter and layering security controls (defense in depth) to protect organizational assets. Today, more organizations are turning to – or at least talking about – zero trust security. But what’s behind the buzzword?
What Is Zero Trust?
Zero trust isn’t a technology or single product. It’s a strategy and security model that takes a “never trust, authenticate everywhere” approach.
Zero trust eliminates the idea that some users and devices are trusted by default. Instead, every user and device must be authenticated at each digital interaction, which limits access as well as the attack surface.
Once verified, each identity’s access is controlled based on security policies and tools such as ongoing risk analysis.
Christopher Willis, VP of Cybersecurity and Network Engineering at Sayers, says, “Zero trust requires multiple technologies working together, because it encompasses so many different areas including identity, user authentication, and continuous validation of the user and what they’re accessing. Zero trust is security at multiple levels and checkpoints to protect data, applications, devices, and networks.”
Zero trust network access (ZTNA), an element of the zero trust model, enforces authenticated, specific access to an application or other corporate asset, such as in the case of a vendor or employee who needs remote access to a cloud-hosted database.
Gerry Wollam, Senior Cybersecurity Solutions Architect at Sayers, uses a dishwasher repairman analogy:
“For most networks, remote user access is the equivalent of giving the repairman free rein to your whole house instead of just the dishwasher. In traditional segmentation, you might have a way to restrict the handyman to just your kitchen. With zero trust, the repairman will be limited to not leaving the side of the dishwasher.”
Why Are We Talking About Zero Trust Now?
Zero trust adoption takes concerted planning, effort, and expense. Its business value was unclear until more recent developments have made zero trust highly relevant:
- The size, complexity, and attack surface of IT environments have grown significantly, especially since the pandemic, making the act of securing technology more difficult.
- Cyberattacks have become rampant. As the cost to deploy harmful ransomware has decreased, the business impact has grown much higher. According to IBM Security’s Cost of a Data Breach Report 2021:
“The average cost of a breach was $5.04 million for those without zero trust deployed. Yet in the mature stage of zero trust deployment, the average cost of a breach was $3.28 million, $1.76 million less than organizations without zero trust…”
- The shift away from on-premises data centers and offices has created an opening for zero trust investment, and zero trust technologies are more mature than ever.
“We’re reaching a point where threats in the cyber landscape are escalating off the charts,” says Ken Wisniewski, Senior Security Architect at Sayers. “With everything from ransomware to general vulnerability to compromise, general approaches of defense in depth or applying specific security controls in certain areas aren’t enough to deal with security needs.”
Why Are More Organizations Taking A Zero Trust Approach?
According to the Information Security Media Group (ISMG) Zero Trust Strategies for 2022 report, based on a survey of technology leaders, the top three reasons for building a zero trust strategy are to:
- Enforce least privilege access to critical resources (44%)
- Reduce attacker’s ability to move laterally (44%)
- Reduce enterprise attack surface (41%)
All of the technology leaders surveyed believe zero trust is important to reducing their enterprise cyber risk, and zero trust directly addresses the most prevalent attack vectors today.
“If you look at a lot of the breaches we’ve seen, all it takes is one perimeter breach and, in most cases, the attacker has run of the entire internal network,” says Wisniewski. “Zero trust does away with that real possibility (by limiting the attack surface).”
While talk of a zero trust approach has been around for years, organizations are at different levels of awareness and maturity. Factors include their cybersecurity expertise and their willingness to create a long-term strategy with multiple security products.
A common mistake organizations make is to think they’re not on the radar of bad actors until they are. “They don’t take it seriously until something happens,” says Keith Brenton, Account Executive at Sayers. “But with new cybersecurity insurance protocols and compliance issues, I’ve got clients that are proactively reaching out. The market is naturally driving that zero trust model.”
How Do Organizations Benefit From A Zero Trust Roadmap?
A zero trust approach starts with a roadmap that defines the desired business and security outcomes from zero trust adoption. It should assess your organization’s zero trust readiness and build specific roadmaps for zero trust around identity, networking, devices, and data.
Organizations that invest in a zero trust security model can anticipate seeing:
- Increased security posture and business agility
- Reduced impact of security events
- Reduced cost of managing a complex control set
- More secure business transformation into digital and cloud
For a zero trust model to succeed, “it’s important everybody is working off of the same terms, expectations, and interpretations of the project,” says Willis. Teams including security, networking, and cloud all have important roles to play with the products they manage. Yet many organizations fail to take a cross-discipline approach to zero trust at a true program level.
“While it may seem simple, it’s actually quite difficult,” Willis says.
——————
Questions? Contact us at Sayers today. We offer extensive solutions and expertise to cover all areas of your business, including how to build a zero trust roadmap for your organization.