As much as security leaders would welcome it, unfortunately, there is no silver bullet to combat cybersecurity risk. That's probably why Zero Trust is such a hot topic, especially for companies moving through their digital transformation. Zero Trust is not a technology, product, or solution. It's a conceptual architectural approach built upon an ecosystem that creates an environment for a holistic security posture.
Zero Trust security doesn't assume trust among users, applications, devices, networks, and services, operating within the security perimeter. Instead, anyone and anything trying to access corporate assets must be verified through strict access controls before access is allowed.
Zero Trust is a combination of technologies, implemented within an architecture developed to support a holistic security initiative and strategy. I like to think about it in terms of fighting and winning a war versus fighting a single battle. Winning a war requires a comprehensive plan, strategy, and execution, that encompasses many different armaments, varied locations, individual battles, and diverse combatants.
A multi-layered approach for mapping out a perimeter around corporate assets, Zero Trust ensures anyone accessing them has the right level of verification, a secure device, and the right account privileges. Identifying all the assets you want to protect, and mapping their transaction flows, will protect your assets, leverage security and risk policies, and enable ongoing monitoring of your Zero Trust security architecture.
Mapping all digital assets allows you to understand the various nuances of application and data usage throughout the organization. Understanding the users, their applications, their locations, the times they access, and how they connect, allows you to govern and enforce policy to protect corporate assets.
Forget about 'coloring inside the lines'
Modern, digitally-enabled enterprises operate within a perimeter-less environment, with assets on-premises, and in the cloud. This creates a growing list of potential attack surfaces, including corporate offices, IoT, mobile users, and remote office workers. Enterprise borders are becoming virtualized and managed by a software-defined perimeter (SDP) that controls access to resources based on identity. The structure for this approach is fundamental to a Zero Trust "need to know" model, where every endpoint attempting access to a corporate asset must be authenticated and authorized before they gain entry.
You must consider the user experience
A Zero Trust architecture has many components to maintain a high level of security. However, it's important to build in the user flows and the user experience, as part of a Zero Trust model. Identifying every aspect of the flow process, and how it impacts the user, will create an environment conducive to a frictionless experience.
Organizations creating a Zero Trust environment that supports a quality user experience should also consider a federated single sign-on. This enables users with seamless single authentication, that is trusted among different systems and organizations. A Zero Trust architecture with contextual policies that tie into risk-based authentication plays a key role in simplifying the user experience and determining what, and how, a user within a merged environment can access corporate assets.
With Zero Trust, the whole is greater than the sum of its parts
A Zero Trust architecture provides visibility and context across users, applications, devices, networks, and locations. It helps identify business processes, workflows, users, and data. It manages risk, by using policies, that can be automatically updated, through learning systems that adapt iteratively to user dynamics and business changes.
Aggregating policies for risk, applications, users, devices, IP addresses, locations, and workloads; the myriad security and identity access management (IAM) tools and platforms; and multi-factor authentication, all contribute to creating a solid Zero Trust model. Application workloads are dynamic and move across diverse application hosting environments, including corporate data centers, and public, private, and hybrid clouds. A Zero Trust architecture must understand the dynamic nature of user behaviors and ubiquitous connectivity. This is where automation through AI and machine learning can provide continuous improvements in supporting and enforcing Zero Trust policies.
APIs are another element of a Zero Trust architecture that strengthen an organization’s security posture. API Gateways, with the OAuth 2.0 protocol and OpenID Connect identity layer, sit in front of corporate assets to extend identity trust mechanisms. This enables a consistent pattern of how user access tokens are granted. API Gateways implement security controls by acting as a broker between users and corporate assets.
From buzzword to reality
While Zero Trust may be a buzzword in security conversations, it's truly a necessity for any organization on a digital transformation journey. Those looking to strengthen their security posture will find Zero Trust a "must-have" in order to holistically integrate the interdependencies among users, devices, applications, networks, and data.