Zero Trust Architecture Is Building a Head of Steam


Posted on by Robert Ackerman

Imagine a world in which new, cutting-edge methods and techniques in cybersecurity make it unusually difficult for cybercriminals to breach a target.

Perhaps surprisingly, this scenario appears poised to become a widespread reality in coming years. Pieces of the script have already fallen into place. It’s called the Zero Trust model of security, and it embraces the approach that no digital users or devices are to be trusted without continuous verification.

It’s gaining momentum. According to Markets and Markets, a global producer of market research reports of cutting-edge industries, demand for products that support Zero Trust will grow to more than $51 billion by 2026, up from less than $20 billion in 2020. Helping matters is the federal government, which announced this year that it’s among those making a big push toward Zero Trust. Federal agencies will be required to adopt a federal Zero Trust architecture by the end of Fiscal Year 2024.

The timing for a surge in interest in Zero Trust is propitious, given the Russia-Ukraine conflict and accelerating concerns about Russian-sponsored hackers, as well as growing world tensions elsewhere. And Zero Trust has gained interest in the wake of the explosion of remote workers, whose security is inferior to that in corporate offices. Work-from-home policies may soften, but the option is likely here to stay. Zero Trust can better protect critical business data that remote workers regularly access.

Two companies—Symmetry Systems, a San Francisco-based multi-cloud security provider, and Osterman Research, a Washington-based cybersecurity market research and consulting firm—recently released a report detailing how more than 100 organizations plan to deploy a Zero Trust architecture. In so doing, the report projected that this methodology would increase the efficacy of protection against a data breach by 144 percent.

The primary goal of a Zero Trust approach is to shift from “trust, but verify,” a common federal government phrase, to “verify, then trust.” Because there is no implicit trust in any entity. This methodology contends identity and context must be continuously evaluated. Zero Trust also assumes that any environment can be breached at any time and so must be thoroughly re-worked. This reduces risk and increases business agility by eliminating implicit trust and continuously assessing user and device confidence based on identity, adaptive access, and comprehensive analytics.

Traditionally, big companies have taken a traditional castle-and-moat approach to cybersecurity, relying on perimeter security strategies to protect user data and intellectual property. These strategies involved the use of firewalls and other network-based tools to inspect and validate users going into and out of the network. People were trusted once they made it past perimeter defenses.

This approach is increasingly dated. Organizations have become far more interconnected with vendors, online customers, employees, and other stakeholders, blurring the lines of traditional perimeters. A growing potpourri of workloads, networks, and devices compromise networks still further.

Still, few companies have yet to combine Zero Trust into a cohesive whole—commonly a drawn-out process. Among other things, this can require cataloging all the devices across an organization, instituting multi-factor or biometric authentication, monitoring network connections in real time, and tightening user access controls.

So far, the conversion to Zero Trust appears rocky. According to a recent survey of 472 cyber pros and business leaders by Fortinet, a Silicon Valley-based developer of cybersecurity solutions, more than half don’t have the ability to authenticate users and devices on an ongoing basis and are struggling to monitor users post-authentication. 

Zero Trust is new to them, however, and change is often accompanied by initial problems. Hopefully, these issues are only temporary.

Companies only now looking to get started with Zero Trust may want some tips on how to proceed. Here they are:

+ Define your goals. The National Institute of Standards and Technology (NIST) says converts to Zero Trust should have two chief goals: preventing access to data and services and making access control as granular as possible. Companies new to Zero Trust should also determine why they want to enhance their security in the first place.

+ Identify what must be protected. Every organization has various types of data and different entry points by which data can be accessed. Make sure you clearly outline both before assessing your Zero Trust readiness.

+ Assess your Zero Trust readiness. This involves evaluating your organization’s network, endpoints, data, and users.

+ Build your architecture, then monitor it. After accomplishing the aforementioned steps, you’re ready to build your Zero Trust architecture. Remember that it’s a set of design principles, not a single product. And make sure you continually monitor your environment to maintain good security.

Zero Trust isn’t infallible, but it’s clearly a big step in the right direction. Companies should make sure that all stakeholders understand the value of Zero Trust. And they should use a phased approach to minimize productivity blows. Updated employee training is also necessary. The more adept select employees are in Zero Trust, the better the results.

Contributors
Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Technology Infrastructure & Operations

zero trust access control perimeter-less security perimeter-less security database security network security authentication

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs