Zero Trust Security Model - How Does It Affect IT Security Management?

Three years ago, I thought the Zero Trust Network, or Zero Trust architectural model, would be cited as one of the greatest cybersecurity timeframes. It was founded in 2010 by John Kindervag, then a chief analyst at Forrester Research, Inc. Seven years later, CIOs, CISOs, and other leaders are implementing the model, and the technologies that support it are moving into the mainstream as pressure to protect corporate systems and data grows and attacks become more sophisticated. 

Although the concept of trustless security is not new, it is synonymous with the network security approach known as micro-segmentation. It is a way to create secure zones in a data center or cloud deployment that allows you to isolate and protect workloads. This approach is attractive because traditional areas of security are no longer effective in controlling cybersecurity. 

Promoting zero corporate confidence is critical to success, no matter how you decide to begin your transition. Companies pursuing zero-trust policies must determine the approach that best suits their unique environment. This includes weighing up risk profiles and access methods, defining the scope of implementation for zero trust in their environment, and defining the specific verifications they need before users can access their business resources.  

End-to-end encryption, data hashing, automated backups, and securing leaking buckets are just some of the ways companies can put zero trust in their data security plans. Drawing a common thread through all these security controls is essential for proper security orchestration. An organization's security management system for zero trust must ensure that security solutions work together to cover all possible attack vectors.  

A fundamental part of networking zero trust is eliminating the possibility that an attacker may gain access to a secure area to access others. 

With the explosion of cloud technologies and the mobile workforce, it is clear that corporations need a new security model. This means adapting to modern distributed workplaces; embracing mobility in their employees' work habits by providing them with secure access no matter where they are working from or what device they're using for business purposes (e.g., laptops, tablets); and protecting people's information wherever it's stored - whether on devices like smartphones or corporate data centers filled with servers that power applications used around-the-clock every day. 

A Zero Trust approach transforms the security model into one that verifies requests explicitly using all available signals, employs the principle of least privilege access, and assumes breach. This approach should extend throughout your entire digital estate to ensure safe practices are implemented across every area you have control over. It should also serve as an integrated safety philosophy and end-to-end strategy based on six foundational pillars: 

• Identities - It is imperative that we verify all identities with strong authentication.
• Devices - Get visibility into all the devices accessing your network and secure them.
• Applications - Discover shadow IT and get real-time insights with a powerful control panel.
• Network - Tighten security by encrypting all internal communications and limiting access to only those who need it.
• Infrastructure - Employ a real-time threat detection system that automatically blocks and flags risks while employing least privilege access principles.
• Data - Classify, label, and encrypt data to protect it wherever it lives or travels.

 Each of these six pillars is a critical resource to be defended, but where do you start?

 First of all, let me share with you Microsoft's simplified diagram of Zero Trust Security:

Every Zero Trust model must verify authentication requests explicitly using all available signals such as validation of the credentials, location of the user, device been used, and assess the overall risk of each authentication session. Employ the principle of least privilege access, and assume breach.

 This approach should extend throughout the entire digital state. It should also serve as an integrated security philosophy and end-to-end strategy based on the six foundational pillars listed above.

Every Zero Trust journey is unique, so start by evaluating your current environment, available resources, and priorities. We have helped many customers to start this journey with automated assessments of their IT environment. Often we begin with a Data and Infrastructure Assessment alongside with Cybersecurity Assessment. 

The information captured in these assessments allows us to build a Zero Trust Implementation Path based on actual data and utilization of your network. Our philosophy is to apply a pragmatic approach to Zero Trust adoption, which means think big, start small and move fast.