Organizations are coalescing around the concept of Zero Trust. Security teams see Zero Trust as a catalyst to fundamentally change how they practice security. CISOs see it as an effective, enterprise-wide solution to drive decision-making at the highest levels of leadership. And according to Deloitte, 37% of organizations have increased Zero Trust adoption since 2020.
But Zero Trust is more than a technology. And despite what many believe, you can’t buy it. To fully embrace Zero Trust, you’ll need to redefine your entire approach to identity and security to protect your people, IT infrastructure, and sensitive assets. Zero Trust is a move from implicit trust to a continuous re-evaluation of risk and trust levels that protects the entire IT ecosystem, accelerates digital transformation, and secures the remote workforce.
So what does it take to truly embrace Zero Trust at your organization? The answer lies in understanding that Zero Trust is driven by identity and requires a focus shift away from the network security layer to the identity layer. This approach has three key pillars:
- A shift in mindset
- A strategy vs. point solution approach
- A new identity-based architecture
The Rise of Zero Trust
Businesses embraced digital transformation to capitalize on the cloud benefits of scalability, efficiency, and cost reduction. As cloud migration accelerated, it altered the threat landscape and simultaneously shifted the work environment to improve accessibility. Long gone are the days where we must solely protect PCs inside an on-premises network. Today, security teams are tasked with protecting many types of devices that access data from multiple external locations.
Critical assets migrated as well, and no longer strictly reside behind heavily fortified internal networks. Today, they are spread throughout multiple physical locations worldwide – and stored in the cloud. This shift has forever changed the threat landscape, and bad actors have taken notice. External attacks on cloud accounts increased by 630% in 2020. And insider threats now account for over 30% of all breaches – proof that standing trust is dangerous, even for ‘trusted’ employees. This dynamic threat landscape has forced businesses to rethink their approach to securing digital assets and cloud resources.
As the world becomes a more digital, globally connected environment, the core Zero Trust principles resonate stronger than ever. Today’s security landscape no longer allows you to focus solely on your enterprise network. Advancing technology adoption and accelerating digital transformation requires a perimeter drawn at the identity layer. Modern security is about providing the right access to humans and machines and the continuous optimization of access controls based on the risk profiles for the entities accessing these resources. Now we must shift to a ‘never trust, always verify’ approach, secured by an identity-based Zero Trust paradigm.
What is Zero Trust Identity?
Zero Trust Identity requires a continuous risk and trust assessment every time access is attempted using contextual identity information to inform and optimize access policies. This also supports the principle of least privilege and granting access to the right entities, for the right reasons, for the right amount of time.
Zero Trust Identity is the practical application of identity to support and strengthen Zero Trust principles. To move at the speed of business, a Zero Trust Identity approach requires quickly delivering stronger security without negatively impacting productivity, or business agility.
So how do you move toward Zero Trust Identity? The answer to that lies in understanding and applying the three key aspects of Zero Trust — mindset, strategy, and architecture.
Zero Trust is a Mindset
In our digital world dominated by data, dependent on cloud computing, connected by mobile devices, and rife with IoT, every company has become a tech company. Realizing and acknowledging this demands a mindset shift. You must view the world through a different lens. This applies to larger global enterprises and smaller businesses alike. You have to accept that technology is at the core of every business. Whether companies host their own hardware or rely on SaaS solutions, nearly every core business function — from HR to accounting and sales — relies on technology. Which is why both organizational assets and sensitive data exist within every corner of IT systems. These resources must not only be secured but also aggressively monitored and actively protected.
The Zero Trust Identity Paradigm Shift
Security is intrinsic to every aspect of your business. And needs to become a core part of your company culture. This requires a foundational change in how you view security. Security can no longer be seen as a value add or an afterthought. It has to become a core principle of your business – and a policy that every employee adopts.
Systems and Security professionals must abandon the mentality that all internal identities and resources are safe. The new assumption must be that every identity and access request is suspect and must be validated. Moving to this mindset advances your organization from a reactive stance on security to a proactive one.
Integrating security training and shifting mindsets are one puzzle piece in a rock-solid security program. By understanding that even a well-intentioned employee can expose a company to threats, security awareness training must become a higher priority. Equipping them to become a line of defense is critical, turning them into an asset rather than a liability. This contributes to a defense-in-depth approach that integrates all the security layers into overlapping pieces of digital armor.
Zero Trust Identity adds additional layers by extending beyond simple access control into continuous monitoring and management. Organizations must acknowledge that all access granted incurs some level of risk. Practices must be adopted to improve the ability to assess unnecessary access rights and to perform remediation and recovery actions.
This level of readiness is made possible through continuous monitoring of assets and access usage. Deep visibility, automation, and application of machine learning (ML) speed up access reviews and incident response time. By quickly identifying compromised assets, organizations can take proactive steps to block access, narrow the scope of an attack, and reduce its impact.
Zero Trust Identity is a Strategy
Moving to a Zero Trust strategy requires adopting identity as the new security perimeter. Part of why Zero Trust is effective is that it no longer assumes that everything behind the firewall is safe. Instead, it assumes that some level of compromise has already occurred and requires verification before granting access.
One of the key improvements of shifting to a Zero Trust identity strategy is the acceleration of business transformation and agility. Identity solutions are one of the essential components for transformation, as they can be effective no matter where assets lie, or where they are accessed from. This allows organizations to reduce their reliance on older legacy applications and securely re-architect IT environments using newer languages and designs that can benefit from cloud computing.
These fundamental changes require a significant investment in the security program, including additional emphasis on deploying identity-based solutions. The implementation of Zero Trust Identity generates metrics and success criteria that will demonstrate its value and gain the confidence – and sponsorship – from board members and executive leadership.
Speed and agility, however, are only part of the equation. Businesses still need to ensure that their data is secure and meets organizational governance and compliance requirements. Zero Trust Identity is an important enabler in managing least privilege through dynamic security policies that enable appropriate authentication and authorization to any digital resource, which is crucial for privileged resources.
Zero Trust Identity is an Architecture
Zero Trust Identity is an essential component of an architecture that requires you to design your layered security model to meet the challenges of an IT ecosystem that expands beyond internal networks. Organizations have shifted to using modern applications that use newer technologies such as micro-services and integrated DevSecOps to unlock the full benefits of the cloud. And while these technologies contribute to acceleration, they inherently come with built-in security risks – including a lack of visibility and the inability to control access. Because they reside outside of traditional organizational boundaries, your approach to security must include an architecture that adapts to address these risks.
Refactoring your architecture in this way requires a modern identity solution that protects cloud assets, simultaneously integrating existing security and compliance tools throughout the IT ecosystem. This way, the verification process for Zero Trust can factor in new and existing policies effectively. This has become more imperative for Federal systems with the recent Executive Order from president Biden prioritizing a Zero Trust approach for security.
Zero Trust Identity Architecture leverages visibility, risk, and threat intelligence to drive decision-making. Another essential component of Zero Trust Identity architecture is enabling interoperability between security solutions that exchange information. Using an open and standards-based approach allows security technologies to exchange risk and contextual information in near real-time to improve visibility. With increased visibility, organizations achieve dynamic, accurate assessments of their environment by moving access controls closer to the actual endpoints and data. More accurate and timely assessment data allows better and faster decision-making.
Beginning the Journey
Using identity to drive Zero Trust is more than just the cybersecurity trend du jour. It helps your company evolve its security and compliance posture in response to both the changing threat landscape and its growth. The journey to Zero Trust requires shifting mindsets organizationally and moving from point-based solutions to a cohesive security strategy. This strategy must be architected with identity as its foundation to integrate all of the layers throughout the ecosystem.
We’ve discussed the major aspect of identity-driven Zero Trust. We will take a deeper dive in future posts and provide more practical guidance for companies seeking to implement these practices. For now, just remember: Zero Trust is not a destination. It’s a journey.