We now have another buzzword in the InfoSec world – and in all honesty – it’s not a bad one, and maybe one that sticks and actually hangs around!
So, what is ZERO TRUST?
Zero Trust was essentially created by none other than John Kindervag while serving as vice president and principal analyst for Forrester Research. Kindervag argues – and I agree – that the traditional security mindset, which operates on the “…outdated assumption that everything inside an organization’s network should be trusted….”is outdated and broken. “Under this broken trust model, it is assumed that a user’s identity is not compromised and that all users act responsibly and can be trusted.” (1).
So, if you truly embrace ZERO TRUST, you believe that your organization should not automatically trust ANYTHING inside or outside its perimeters and must verify anything and everything trying to connect to its systems before granting access.
As such, the Zero Trust concept essentially advocates that trust is a vulnerability, not an asset. Interesting, right. So, once users are on the network, they can roam as they please, after all, they’ve been given access based on some type of access control methodology (RBAC), so they must be acting in good faith. Not so, according to ZERO TRUST. Consider this finding – 80% of today’s data breaches are caused by misuse of privileged credentials – and ZERO TRUST now has some serious merit. (2).
Kindervag also states that ZERO TRUST should not be looked upon as an operational detriment, rather, it can be achieved in the following five (5) ways:
1. Identify the protect surface
2. Map the transaction flows
3. Build a Zero Trust architecture
4. Create Zero Trust policy
5. Monitor and maintain
“If I have 20 calls, 17 are about Zero Trust. CISOs, CIOs and CEOs are all interested, and companies of various sizes are interested…And in three years, I think Zero Trust will be cited as one of the big-time frameworks in cyber security. Period.” That, according to Chase Cunningham, a principal analyst at Forrester. (3).
According to says Charlie Gero, CTO of Enterprise and Advanced Projects Group at Akamai Technologies, “The strategy around Zero Trust boils down to don’t trust anyone. We’re talking about, ‘Let’s cut off all access until the network knows who you are. Don’t allow access to IP addresses, machines, etc. until you know who that user is and whether they’re authorized.” (4).
Senior Partner in National Security & Cybersecurity. Author. Speaker. Media Personality.
Charles has helped thousands of businesses throughout the world in designing and implementing a wide-range of information technology & cybersecurity solutions. And he’s helped these very businesses grow by identifying their niche, launching new services, and ultimately obtaining a true competitive advantage in the marketplace.
Charles works with CEO’s, entrepreneurs, business owners – anyone with a true passion for securing & growing their company in today’s challenging & complex business arena. Charles also consults regularly with top political and business leaders including former Vice Presidents of the United States, Secretaries of State, ambassadors, high-ranking intelligence officials, CEO’s, entrepreneurs, civic leaders, and others. Learn more at charlesdenyer.com.