Feb 06 2024

What Are the Key Principles of an Effective Zero-Trust Security Environment?

Focus on these five “pillars” on your journey to the ideal model for cybersecurity.

In the face of increasingly intelligent cybercriminals and rising threats, organizations must protect their networks and online environments from attacks. Cybersecurity remains the top priority for business and technology leaders, with 65 percent citing broader data security and better detection of advanced threats as a critical goal in Zscaler’s "State of Zero Trust Transformation 2023" report.

IBM’s 2023 “Cost of a Data Breach” report ranks social engineering techniques such as phishing scams as one of the top causes of security breaches, making training a vital component of any organization’s cybersecurity posture. But training alone won’t protect a network from criminals.

As a result, more organizations are turning to zero-trust security strategies.

Click the banner to overcome budget obstacles and zero-trust success.

What Does a Zero-Trust Security Model Look Like?

Zero trust is a security model in which access to an organization’s network and resources is monitored continuously. It is a cybersecurity mindset, not a final state of security that businesses can hope to achieve.

In a zero-trust architecture, every attempt to access an organization's network, data or applications must be verified and approved. This applies to internal and external requests for access. All users should be vetted each time they attempt to access an organization’s network.

According to the Cybersecurity and Infrastructure Security Agency (CISA), the implementation of zero trust should span five pillars: identity, devices, networks, applications and workloads, and data.



zero trust


How to Apply the Core Tenets of Zero Trust

In addition to five pillars, there are also seven tenets of zero trust that IT leaders should follow, as described in the National Institute of Standards and Technology’s SP 800-207 Zero Trust Architecture. They are:

  1. All data sources and computing services are considered resources.
  2. All communication is secured regardless of network location.
  3. Access to individual resources is granted on a per-session basis.
  4. Access to resources is determined by dynamic policy — including the observable state of client identity, application/service and the requesting asset — and may include other behavioral and environmental attributes.
  5. The organization monitors and measures the integrity and security posture of all owned and associated assets.
  6. All resource authentication and authorization is dynamic and strictly enforced before access is allowed.
  7. The organization collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.

These tenets apply to all devices that are used to access the organization’s networks, including those owned by employees, as well as all the data they generate and all the applications they access. Often, IT teams don’t have the resources to adopt all these tenets overnight. Therefore, businesses should think of zero trust as a journey.

RELATED: Get started with a rapid maturity assessment.

Zero-Trust Security Is a Journey with Levels of Implementation

There are ways to measure each stage of a business’s journey from traditional security through optimal zero-trust maturity. CISA has mapped each of the four stages of maturity against its five pillars:

Traditional: Most businesses will begin the zero-trust journey at this first stage. In a traditional model, most security processes will be manual. Organizations may have manual deployments of threat protection solutions, manual configurations, minimal encryptions and static access controls.

Initial: In this environment, organizations can begin to implement automation for protections like access expiration and some threat protection.

Advanced: Here, businesses will take into account protections such as phishing-resistant multifactor authentication, session-based access, encrypted network traffic and data at rest, and redundant but highly available data stores with static data loss prevention.

Optimal: An optimal model features full automation with self-reporting solutions, least privilege access and centralized visibility with situational awareness. This level features continuous user validation, access controls with microperimeters and continuous data inventorying with automated data categorization.

It’s unrealistic for any organization, to strive for an optimal environment right out of the gate. Achieving optimal zero trust is a long-term goal that IT professionals can plan for and work toward, securing their environments through smaller changes along the way.

Wherever a business is in its zero-trust journey, a security assessment is always a vital investment. This helps to establish a baseline by offering visibility into its current security landscape and delivers insights on a path forward.

gorodenkoff/getty images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.