Zero trust is a never-ending journey, not a ready-made solution
Nearly
all
organizations
are
struggling
with
how
to
stay
in
control
as
their
data
migrates
to
the
cloud
and
users
connect
from
anywhere.
The
answer,
they’ve
been
told,
is
zero
trust.
Nearly
all
organizations
are
struggling
with
how
to
stay
in
control
as
their
data
migrates
to
the
cloud
and
users
connect
from
anywhere.
The
answer,
they’ve
been
told,
is
zero
trust.
Zero
trust
starts
from
the
premise
that
an
organization
is
going
to
be
breached
so
that
they
can
then
focus
on
minimizing
any
potential
harm.
Although
well-defined
as
an
architecture
and
a
philosophy,
it
is
difficult
to
apply
these
principles
across
your
infrastructure
in
the
real
world.
While
you
can’t
buy
a
complete,
packaged
zero
trust
solution,
you
can
build
a
solid
defense
strategy
around
zero
trust
concepts
to
secure
sensitive
data
and
enable
the
business
and
users
to
proceed
in
a
safe
manner.
Over
the
past
few
years,
the
environment
to
which
zero
trust
is
being
applied
has
changed
dramatically.
Users
are
working
outside
the
safety
of
traditional
security
perimeters,
using
devices
and
networks
the
organization
doesn’t
control.
Cloud
and
remotely
accessible
infrastructure
enables
anyone
to
work
and
collaborate
from
anywhere
on
any
device,
but
it
is
critical
to
ensure
access
is
secure
and
centrally
managed.
There
are
numerous
elements
to
zero
trust,
notably,
user
(identity),
endpoint,
data,
and
risk.
Rather
than
a
ready-made
solution
or
platform,
zero
trust
represents
a
mindset,
a
philosophy,
and
ultimately
a
cybersecurity
architecture.
Aaron
Cockerill,
Chief
Strategy
Officer
with
endpoint
and
cloud
security
solutions
provider
Lookout,
urges
organizations
to
focus
on
what
matters
most:
sensitive
data.
“What’s
happened
over
the
last
couple
of
years
with
digital
transformation
is
that
users,
apps
and
data
have
left
the
building
and
are
no
longer
within
that
traditional
security
perimeter,” says
Cockerill. “Rather
than
simply
providing
remote
access
via
virtual
private
networks,
take
the
services
that
you
had
in
that
perimeter
and
put
them
in
the
cloud
so
that
you
can
work
in
this
new
hybrid
environment
where
apps
are
in
the
cloud
or
cloud-accessible.”
That’s
the
aim
of
Security
Service
Edge
(SSE)
solutions
that
provide
cloud-based
security
components,
including
Cloud
Access
Security
Broker
(CASB),
Zero
Trust
Network
Access
(ZTNA),
Secure
Web
Gateway
(SWG)
and
Firewall
as
a
Service
(FWaaS).
“When
users
were
in
the
building,
the
internet
was
filtered
for
them
by
their
company
to
make
sure
that
they
were
not
clicking
on
malicious
links
and
performing
other
non-secure
activities,
so
part
of
SSE
moves
those
services
into
the
cloud.”
Most
organizations
have
now
adopted
hundreds
of
SaaS
apps,
and
each
one
handles
authorization
and
access
control
differently.
To
avoid
having
IT
become
an
expert
in
every
SaaS
app,
centralized
policy
management
across
all
cloud
and
SaaS
apps
through
a
CASB
solution
should
also
be
top
of
the
list
for
most
organizations.
“By
centralizing
data
access
policies
IT
teams
can
minimize
workloads,
simplify
administration,
and
avoid
misconfiguration
that
can
introduce
vulnerabilities.” Cockerill
adds.
Finally,
in
the
wrong
hands
VPNs
expose
large
parts
of
your
infrastructure
to
attack. “That’s
basically
a
tunnel
through
the
firewall
into
the
soft,
gooey
center
of
any
organization’s
IT
infrastructure,
which
is
a
nightmare
from
a
security
standpoint.
Once
someone
connects
via
VPN
they
typically
have
unfettered
access
to
adjacent
apps
and
data,
and
this
is
where
lateral
movement
comes
into
play.
You
need
to
segregate
your
infrastructure
to
prevent
lateral
movement.” Bad
actors
use
lateral
movement
to
search
for
systems
and
data
that
can
be
leveraged
to
extort
their
target.
Zero
trust
proposes
microsegmentation
to
address
this,
but
ZTNA
is
a
simpler
and
more
modern
approach.
The
noise
level
around
zero
trust
can
be
confusing
for
organizations
trying
to
chart
the
safest
course.
Cockerill
warns
against
falling
for
misleading
claims
about
so-called “zero
trust
solutions,” and
instead
recommends
assessing
your
current
and
desired
state
against
an
established
zero
trust
security
model, such
as
one
drafted
by
the
Cybersecurity
&
Infrastructure
Security
Agency (CISA).
“Implementing
zero
trust
is
a
never-ending
journey
and
the
best
way
of
establishing
the
right
elements
of
technology
for
you
to
embrace
in
that
journey
is
comparing
yourself
back
to
those
maturity
models,” says
Cockerill. “There’s
no
silver
bullet
so
don’t
be
misled
by
vendors
telling
you
there
is
because
you
can’t
buy
it
off
the
shelf.
You
need
to
look
for
vendors
that
acknowledge
that
integration
with
your
existing
infrastructure
is
the
right
approach.”
The
CISA
model
aligns
the
zero-trust
security
model
to
five
pillars:
- Identity
- Device
- Network/Environment
-
Application
Workload - Data
According
to
CISA,
each
pillar
can
progress
at
its
own
pace
and
may
be
farther
along
than
others,
until
cross-pillar
coordination
is
required,
allowing
for
a
gradual
evolution
to
zero
trust.
There
are
endless
ways
to
apply
zero
trust,
so
it’s
important
to
start
out
with
a
well-thought
plan.
Cockerill
recommends
that
organizations
prioritize
their
implementation
efforts
according
to
their
risk
registers. “I
would
prioritize,
maybe
even
over-correct
towards
the
protection
of
data
to
stop
your
data
from
being
stolen”
he
adds. “Zero
trust
represents
our
best
approach
to
the
battle
against
cyber
attackers,
but
it
shouldn’t
be
considered
a
panacea.
It’s
virtually
impossible
to
deploy
controls
across
everything,
so
it’s
critical
to
assess
the
risks
involving
the
organization’s
most
sensitive
data
and
start
the
zero-trust
implementation
there.”
About Author
