Zero trust is one of the most used buzzwords in cybersecurity, but what exactly does this approach entail?
Before we can fully know how zero trust principles can accelerate innovation and enable organizations for success, it’s important to understand what a zero-trust approach is.
What is zero trust?
Grounded in the principle of “never trust, always verify,” zero trust is designed as a response to the outdated assumption that everything inside of an organization’s network can be implicitly trusted. Traditional layers of security assume users and data are always operating within the confines of the enterprise walls and data centers — like a physical store. But today’s enterprises have users and partners working from anywhere and accessing applications and data deployed across data centers and external clouds — like an online store.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Traditional approaches to IT security emphasize protecting infrastructure assets, such as managed network connectivity and access with a “defense in depth” mindset, while business users require secure and safe access to files and assets in a “frictionless” mindset. This divergence in mindsets results in threat actors and malicious insiders exploiting access to an organization’s sensitive data while still risking loss of productivity and business disruption. Zero-trust approaches help to mitigate these risks by placing data as a strategic asset to protect, and continuously validating safety and access at every stage of digital interaction within your network. With this knowledge at hand, security professionals are looking to implement the zero-trust approach into their organizations. For instance, the federal government is requiring its agencies and commercial organizations to adopt zero trust, urging each of them to designate a strategy implementation lead earlier this year.
Misconceptions surrounding zero trust
Malware poses a threat regardless of the size of the organization, and taking a zero-trust approach is a great initial step to take to begin mitigating it. One of the biggest mistakes organizations make when structuring their zero-trust strategy is to associate zero trust with infrastructure assets, such as network and devices, when its purpose is to serve as a principle to protect data as a strategic asset for the organization to use in a continuous manner. With zero-trust architecture, the same security policies should be applied, regardless of whether the infrastructure is corporate-owned, personally-owned, fully managed by IT or migrated to the cloud. A successful zero-trust adoption must place data in the middle of architecture to strengthen the enterprise security posture.
Another misstep organizations make when it comes to adopting zero trust is believing upgrading managed network connectivity and deploying multi-factor user authentication is sufficient to protect data. While these security capabilities are critical, many forget about safeguarding enterprise data and content used by users and applications every day, often in unmanaged scenarios such as receiving files from third-party partners, uploading content to unmanaged collaboration sites, automatically exchanging files with supply chain interactions and data lakes. This data is now being shared across vendors, customers, suppliers, business units, partner organizations, consultants and remote employees. In other words, the former outsider is now an insider, and even the strongest perimeter security has been rendered meaningless. That’s why enterprises need to focus on the life cycle of the content and developing a strategy that secures unstructured data wherever it travels across applications, servers, networks, user devices, databases and the cloud at all times, regardless of how it is being used or stored.
Think like a hacker
To protect data and content using zero-trust principles, security leaders must consider the variety of different ways that digital files are accessed and shared by authorized users and hence can be potentially compromised. For example, every file contains rich metadata, layers of functional components and even macros for business use. These files are susceptible to introducing evasive malware, so most users never even realize that this information exists. Cybercriminals have developed advanced obfuscation techniques, including hiding ransomware and zero-day malware in password-protected or other “unscannable” files and delivering malicious attachments in phishing emails from known senders, among others.
Understanding the different ways files can be exploited by bad actors will give you a sense of where your security gaps may be. Keep in mind, there is no one single zero-trust platform that secures every part of users’ and applications’ interactions with data in a company’s IT and cloud infrastructures. As a result, organizations need to implement a variety of open, API-based security services to easily integrate and protect content and data wherever it is used.
The bottom line
Security leaders must reassess the threats the organization faces and prioritize the cybersecurity controls that mitigate risks. A data-centric approach to zero-trust also means that we need to eliminate implicit trust, assume all managed and unmanaged user and application access to data can be compromised and mitigate the risk with security controls that enable secure and safe use of data at all times. Security architects must design and implement zero-trust architecture down to the asset — data.
No matter the security technologies and services you deploy, the main goal of the zero-trust approach is to introduce a data-centric culture to protect data at the source and enable secure business transformation. The price for inaction is too high.
Ravi Srinivasan, CEO, Votiro – With more than 25 years of experience in cybersecurity and technology transformations, Ravi leads Votiro as CEO. Votiro’s mission is to make every digital file safe for users to access regardless of how it got to them. Prior to Votiro, Ravi held several product and marketing leadership roles at Forcepoint, IBM, Synopsys and Texas Instruments.