This article was original written on 8/31/2021.
Warren Bennis, , once made a regarding trust:
鈥淭rust is the lubrication that makes it possible for organizations to work.鈥
Clearly, Mr. Bennis didn鈥檛 work in cybersecurity. 馃槵
In fact, being too trusting of activity happening in your IT or managed environments is downright dangerous.
Recent cyberattacks prove that a breach or exploit can cost a business far more than money. For example, reputation and credibility are often permanently tarnished as fingers are pointed following an attack. In the long run, it鈥檚 easier (and less expensive) to scrutinize, question and verify the validity of everything happening in your network.聽
There鈥檚 a name for that approach to cybersecurity: Zero Trust.
The National Security Agency (NSA) has a pretty intricate definition of Zero Trust:
鈥淶ero Trust is a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgment that threats exist both inside and outside traditional network boundaries.鈥
The Agency goes on to emphasize the elimination of implicit trust in this model:
鈥淭he Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information fed from multiple sources to determine access and other system responses.鈥
In simpler terms, the Zero Trust Security Model disregards implicit trust and reverses the philosophy of trust, then verify. In the Zero Trust Security Model, trust must be earned across all people and devices, whether they鈥檙e internal or external to a network.
At first glance, it may seem like Zero Trust is almost too mindful of threats. No user or device inherits implicit trust. Why all the extra concern?
There are quite a few good reasons to adopt a Zero Trust approach to security.
Not being cautious enough is far more expensive than being overly cautious.
鈥攔epresenting what will be the third-largest economy in the world. Threat actors are experts at finding their way into secure environments鈥攊t鈥檚 what they do. It makes it that much easier for them when all they have to do is gain entry into an environment to garner immediate trust network-wide.
Another reason to adopt a Zero Trust mindset is to keep up with the demand from today鈥檚 largely remote or on-the-go workforce.聽
In years past, cybersecurity looked completely different from how it looks today. , and employees largely accessed these systems by logging into a secure network on-site. It鈥檚 just not like that anymore.聽
Nowadays, many organizations rely on a mixture of on-premises and cloud-based systems to house their applications, which are then accessed by employees and other stakeholders鈥攕ometimes from different locations across the globe. Now, it鈥檚 more the exception than the rule when a cybersecurity specialist can walk across the hall to make sure a failed log-in attempt was only an accident by an authorized user and not something鈥攐r someone鈥攎ore malicious.
Need another reason to be open-minded about Zero Trust? Let鈥檚 talk about the . (No, really.)
Though a tale from Greek mythology, the Trojan War gives us a pretty good example of why Zero Trust makes sense in today鈥檚 cybersecurity landscape. The story goes that the Greeks used a wooden horse鈥攁 Trojan horse鈥攖o infiltrate the city of Troy to win the war. A number of soldiers hid inside the horse, and the horse was pulled into Troy to mark what the Trojans believed was their victory鈥攖hat is, until the Greek soldiers snuck out of the horse and destroyed the city of Troy.
Similarly, your network receives many 鈥渨ooden horses鈥 over time in the form of application updates, vendor updates and other items that typically scream business as usual. You don't want threat actors to hop out of one of those wooden horses and wreak havoc on your environment when you're not looking.
Without a Zero Trust mindset, your team would fully trust these updates and not think anything of them鈥攁nd聽that鈥檚 exactly how the mass exploitation of on-prem Microsoft Exchange servers happened in March 2021. Few people without a Zero Trust mindset figured they鈥檇 need to double-check an update from Microsoft鈥攁 generally trusted security vendor. As a result, the updates went through, and boom鈥攖heir servers were compromised.
A Zero Trust approach, on the other hand, would have required careful verification of the updates after they were installed, checking system and network functionality against recorded baseline measurements. The exploit could have been caught much earlier with a Zero Trust mindset鈥攁nd much of the damage could have potentially been mitigated.
Zero Trust is as much of a mindset as it is architecture. To implement the Zero Trust Security Model, you have to fully embrace the mindset that nothing is safe until it鈥檚 proven to be safe and to err on the side of assuming compromise.聽
Operationally, the :
Want to learn more about how to get started with adopting the Zero Trust Security Model? We recommend these resources:
Get insider access to 杏吧传媒 tradecraft, killer events, and the freshest blog updates.
