The security challenges that organizations face are only getting more daunting. Cybercriminals are more organized than ever and are even using techniques employed by legitimate IT companies, such as project management and custom development best practices. Some organized cybercrime outfits have achieved a level of expertise equivalent to that of a skilled penetration testing unit.
To address these growing threats, many organizations are adopting a zero-trust approach to security that requires all users, inside and outside an organization’s network, to be authenticated, authorized and continuously validated for security configuration and posture before being granted access to applications and data.
The impetus for this trend is coming from multiple directions. A key driver is a 2021 executive order from President Joe Biden that established a zero-trust strategy for the federal government. The policy requires agencies to meet specific security standards by the end of 2024. The Cybersecurity and Infrastructure Security Agency released the latest update to its Zero Trust Maturity Model this April, adding new guidance for organizations looking to implement this approach.
Adoption by the federal government has spurred widespread zero-trust implementation in the private sector, as corporate executives and boards apply pressure on IT teams to address security threats.
“The government adoption of zero-trust architecture is really driving the momentum in the commercial space,” says CDW Field CISO John Candillo.
Click the banner below to receive exclusive security content when you register as an Insider.
Understanding Zero Trust Is Essential to Success
As they engage in efforts to implement a zero-trust approach, organizations and their IT teams must understand that it is a process, not a destination. The steps an organization takes toward zero trust will evolve as numerous factors change, including the organization’s business needs, the threats it faces and the security solutions it uses.
“There are a lot of great solutions that can help,” says CDW Chief Security Technologist Jeremiah Salzberg. “But it’s important to remember that zero trust is more of an architectural strategy than a specific product or technology.”
The benefits of zero trust extend beyond an improved security posture, says Jeremy Weiss, an executive security strategist with CDW. Implementing zero-trust principles can help organizations reduce their technical debt and build more efficient business processes. Because the approach employs network segmentation, application developers can operate securely at a quicker pace than they could otherwise.
The process of implementing zero trust also provides much clearer visibility into an IT environment than most organizations have, Salzberg says. IT teams are better able to see dependencies between different systems and applications and understand how they communicate and interact.
“We’ve seen some improvements in overall stability and efficiency in environments where they’ve gone to a zero-trust architecture,” Salzberg says.
READ: CDW’s white paper “Getting Zero-Trust Architecture Right for Security and Governance.”
Three Key Elements of Zero Trust
As they work toward implementing a zero-trust approach, IT teams should focus on three essential elements:
- Visibility: IT teams need to know what data an organization has, where it resides, where it is transmitted, how it is used and who has access to it.
- Identity: An organization must be able to determine with confidence the identity of users who are accessing specific sets of data
- Governance: An organization must have rules in place for what data it maintains, how it is accessed and transmitted, who is granted access, and how they prove their identity. Additionally, the organization must have mechanisms in place to enforce these rules.
With many organizations moving data and workloads to the cloud, especially in Software as a Service deployments, maintaining visibility and control can be a significant challenge.
“It’s difficult to understand what’s actually in your environment, which systems should be talking and which systems actually are talking,” Salzberg says. “That whole analysis has always been a challenge and continues to be, but it’s fundamental for zero trust.”
A variety of tools can help organizations establish the elements of zero trust, including multifactor authentication, segmentation and microsegmentation, single sign-on solutions, secure web gateways, and encryption. As they work to deploy these and other tools in a zero-trust environment, organizations must understand that this approach is a continuing pursuit.
“Zero trust is something organizations want to include in how they build and implement new applications and start to work on retrofitting old applications into the new model,” Salzberg says.
“Some people think it’s like a light switch that you can just turn on, that you can just do this and have zero trust,” Candillo adds. “It’s certainly not like that. It’s building a foundation and getting the tools and implementing them in the environments where it makes sense.”
UP NEXT: Best practices for deploying zero trust in your mobile environment.
Brought to you by: