By Dave Russell,
Vice President of Enterprise Strategy, Veeam and Rick Vanover, Senior Director of Product Strategy, Veeam.
A recent study by CyberRisk Alliance revealed some surprising statistics about zero trust security. While the term has been around for the last 30 years, only 35% of the security leaders polled were familiar with the practice. More surprisingly, despite the gradual rise of security incidents the same percentage were highly confident in their zero trust capabilities.
While interest in zero trust has grown, many security leaders appear to be confused on how they should implement it. There is a misconception that zero trust is a plug-and-play feature, but the reality is far from that – it essentially changes the way people work.
The concept of zero trust is simple: “never trust, always verify.” It may seem harsh to users that are used to having easy access to information, but it’s a sound policy. We prefer to use the phrase “mutually suspicious,” which is similar. It means, in effect, “Here’s who I am; you prove to me who you are.”
The truth is that to a certain degree, this practice and term is old, dating back to the era of mini computers and mainframes. It’s all about requiring good digital hygiene. What has changed is, our environment has shifted and expanded. Now, with cloud, edge devices, and data centers opening up more endpoints to attack, organisations have to rely on more than firewalls to keep intruders out and data safe.
Organisations need to align their processes and people, along with their products, to achieve true zero trust.
Implementing such products are a straight-forward step. Essentially, what’s needed is a full line of security technologies that verify identity, location and device health. The main objective is to minimize the blast radius and limit segment access. While there is no single product or platform that accomplishes all these goals, a successful zero trust program will incorporate elements of identity management, multifactor authentication and least-privileged access, setting restrictions and additional steps to access information.
Today, zero trust technologies are available to cover all attack surfaces and protect organisations, but they are as useful as the people using them, so aligning company success and security with employee success and security is critical. This means prioritising a culture of open communication, implementing policies, transparency, trust in the process and faith in each other’s ability to do good.
To successfully implement zero-trust technology into a corporate culture, organisations need to involve employees across all levels in the process. Don’t just roll out a top-down mandate and expect it to click. Employees should be properly briefed on the process of zero trust, how it impacts their workflow and the benefits it brings to the company. Setting them up for success and educating them on what to watch out for can move the adoption of zero trust.
By engaging employees and challenging them to embrace a healthy dose of skepticism towards potential threats, employers form a level of defense when it comes to protecting data. Once employees understand what’s going on and the value of zero trust, they too begin to feel trusted and are empowered to be part of the broader cybersecurity network. This empowers employees to proactively identify insider and outsider threats to the enterprise, covering all surfaces and fostering good security hygiene.
One of the most important moves an organisation can make is to define and assess every aspect of its data security environment. From identifying where all the organisation’s unstructured data is stored to what business purposes specific data stores serve, knowing who has access to it and what kind of security controls are in place helps to allow for better security.
A thorough permissions assessment will help guide the development of a comprehensive access management policy. Some assets will require zero trust protection; others won’t. All devices that connect to a network will need to be accounted for, so they can fend against outside phishing attacks.
One key tech mechanism that can help organizations in a zero-trust world is immutability – creating data copies that can’t be modified or deleted. This ensures organizations don’t lose data or allow it to end up in the wrong hands.
An overlooked practice is to define a common zero-trust framework for the whole organisation. Teams should be aligned on what zero trust is and ensure that this definition is applied across all projects and employee levels.
Last, and perhaps most important, is the need to reassess and revise their zero trust processes. Zero trust is an ongoing process and should be treated as a regular routine. Think of it like going to the gym: Exercise becomes a way of life, and active people tweak their workout routines all the time. Same with security. Zero trust is a continuum. You’re never done.
Threatscapes will continue to evolve over time. Organisations taking a zero-trust approach will need to continue to develop a comprehensive plan – and then continually revise their technologies, processes and people practices to meet their future needs.