What is Zero Trust security and how do I get started?

What is a Zero Trust security strategy?

A Zero Trust architecture abolishes the idea of a trusted network inside a defined corporate perimeter. It mandates that enterprises create micro-perimeters of control around their sensitive data assets to gain visibility into how they use data across their ecosystem to win, serve, and retain customers.

Just like a zero-tolerance policy makes no exceptions to a rule, a Zero Trust strategy essentially trusts nothing and makes no assumptions on the trustworthiness of identities or peer systems. The approach doesn’t differentiate between internal and external network traffic, because doing so would be making an assumption or exception to the rule. Therefore, it treats all traffic and users the same–regardless of origination. This foundational “ground rule” sets the tone for building a complete Zero Trust architecture which essentially hardens the security of all important infrastructure making access to the data much more restricted, and hence much more resilient to attack.

While some argue that the basic concept of Zero Trust has been around for more than 20 years as the “original best practice” for firewalls and network security, the term itself started to gain traction in 2010 among analysts at Forrester.

Zero Trust is also being associated with the popular SASE security model, or Secure Access Service Edge. That’s because SASE solutions and frameworks include Zero Trust Network Access (ZTNA) solutions. What is ZTNA? Think of it as Zero Trust for network access security. As a network-level realization of the overall Zero Trust model of cybersecurity, these tools apply Zero Trust’s ground rules to network access.

How does Zero Trust work?

Zero Trust steps up security because it establishes a discipline around these best practices:

• Segment all networks associated with sensitive data and authenticating all users and system access so that only systems and users that actually need access can get it
• Encrypt all traffic and data at rest, so in case of infiltration, the attacker cannot readily read data
• Authenticate all users and systems needing access
• Inspect all traffic at the application layer coming in and out of the microsegment
• Monitor the microsegment for suspicious activity and respond if malicious activity is detected

What problems does Zero Trust solve?

With the status-quo no longer sustainable, CISOs are attempting to address the deficiencies of their traditional security practices. Zero Trust tackles two of today’s biggest underlying security issues:

• Security is too perimeter focused — it’s not suited for remote work
  One problem is that enterprises are overly dependent on a “perimeter-centric” model, protecting their networks from outside threats and assuming everything within can be trusted. But when the perimeter is breached (and it often is) malicious actors have free reign to move laterally, locating and exfiltrating sensitive data. Zero Trust expands existing security to adequately address and protect both the perimeter as well as the interior. But it also helps with remote work. When the network edge has essentially disappeared due to employees working from anywhere, Zero Trust creates a security system that works more effectively — regardless of location.
• We’re unfamiliar with our own sensitive data
  Another key issue is uncharted data. An alarming number of enterprises lack awareness of their sensitive data. Executives and IT teams don’t know where data is stored, who accesses it, and how it flows across the enterprise network. Moreover, documentation is lacking. An intimate level of familiarity is considered a prerequisite for improving security inside the network. To protect our data, we must know where it is and how it is used. Data mapping expeditions are needed, and Zero Trust calls for them.
• Systems allow for additional infiltration
  A third problem is the cascade of falling dominos–one compromised system can quickly lead to other compromised systems. Zero Trust is successful and timely because it focuses on what really matters (high-value information assets) and builds effective controls and compartments around those assets in a manner that prevents attackers from further infiltrating the network.

How do I get started with Zero Trust?

To build a Zero Trust architecture, follow these basic steps:

1. Identify sensitive data, then map its flow through the IT ecosystem. Explore the enterprise directory, performing any cleanup or updates user access rights. Highlight and lock down any globally granted access rights that should no longer be global, as these policies run counter to Zero Trust principles.
2. Base your security architecture design and network segmentation on the way transactions flow and how information is accessed
3. Enforce access controls, inspecting traffic and implementing change management processes and controls
4. Enable automated detection and response on the segmented network and data so that any malicious activity can be promptly identified and mitigated

Conclusion: The hurdles are worth it

In 2021, Zero Trust is demonstrating value as a proven and practical approach for work-from-home security, but the path to get there might be a bumpy one. Enterprises attempting a Zero Trust strategy reported that it requires a philosophical pivot in the way leadership thinks about security. Additionally, CISOs experienced challenges with the resources and tools needed for implementation and deployment. The benefits, however, are outweighing these challenges as Zero Trust prepares the enterprise for success. It’s gaining traction for good reason and there’s no doubt that it’s a strategy that will continue to escalate.

Ready for more? Get the Nemertes Research white paper, “Cutting through the Acronyms: Finding a Path to Zero Trust.”