Zero trust. Those two words are gaining ground as businesses continue to weather the pandemic. COVID-19’s sudden impact in 2020 tested organizations’ ability to adapt almost literally overnight, moving from largely in-person office environments to remote and hybrid environments, in some cases radically changing the way they operated and delivered goods and services.
That shift has continued into 2022, with projections stating that 25% of all professional jobs in North America will be remote by the end of the year. Though the continued shift to remote offers several benefits, it also comes with a notable set of risks, including BYOD, compliance challenges, and the often less stringent network security of home networks that leave organizations more vulnerable to cyber-attacks.
While there are an endless number of point-in-time security solutions, including various kinds of OTP, tokens, and MFA tools, these are often used as though they are a guarantee of identity minutes, hours, and even days after the initial authentication prompt. This problem, combined with the growing number of cyber-attacks and attacker’s ability to have a massive impact on critical infrastructure – like the Colonial Pipeline attack last year – have led to a growing shift to zero trust (ZT) security, based on the premise of “trust no one, verify everyone in all cases.”
So, what exactly is zero trust, and how will it impact your business? Here are five questions answered to help your organization better understand ZT.
1. So – what does ZT actually mean?
While it can be easy to get lost in the technical elements of a ZT and a zero-trust architecture (ZTA), above all ZT is a mindset and way of thinking about an organization’s security ecosystem. This mindset is one of vigilance and understanding that attackers will always be looking for gaps in a security infrastructure that they can exploit to gain entry.
It’s the idea that no single user, device, network, or system in your organization, no matter their role, seniority, location, or device ownership should be trusted implicitly. While employers trust their employees with company assets, they can’t always verify a user’s identification during a given session. That mindset flows into the accompanying tech stack that creates a true ZTA.
2. And what does a ZTA include?
While there is no one unified definition of ZTA, there are several proposed frameworks and core elements of zero trust that an organization’s infrastructure should be built around. Most recently, the U.S. Office of Management and Budget (OMB) published a memo establishing a federal ZT strategy for the U.S. government, that agencies will be required to align with by FY24.
The strategy outlined by the memo is built based on U.S. Cybersecurity & Infrastructure Security Agency (CISA) at the U.S. Federal Bureau of Investigation. CISA’s framework relies on their five pillars of ZT:
- Identity
- Devices
- Networks
- Applications and Workloads
- Data
Another framework to consider when assessing how to build out a robust ZTA is one laid out by the National Institute of Standards and Technology’s 800-207 guidance, which identifies the critical elements of a ZTA as:
- Authenticating activities based on identity, context, and risk
- Authenticating activities before access is given, and then continuously throughout the activities, as they occur
- Finding ways to enable activities to access only needed resources, and only as this continuous authentication occurs
3. Who is it for?
In short, ZT is for any organization that wants to enhance their security posture and minimize risk. A ZTA is comprised of a variety of policy and technical components, which vary depending on the framework you’re looking to implement, and those looking to implement a true ZTA will need to have the infrastructural and financial resources to do so. ZT is critical particularly for organizations with strong compliance requirements or a largely remote or hybrid workforce, calling for a robust framework to continuously authenticate users and limit access based on identity, regardless of their location.
4. Why use a ZT model?
While there are numerous reasons for organizations to implement ZTA, two of the strongest are the significant costs associated with data breaches and the impact that a strong security infrastructure can have on the ability to maintain compliance and insurance. ZT is an idealized goal that if implemented, even in substantial part, provides organizations with stronger security infrastructure and d tools to minimize the risk of a devastating cyber-attack. From a dollars and cents perspective, the investment in tools that make up a ZTA is a good choice for organizations, with a report from IBM and the Ponemon Institute suggesting that the average cost of a data breach in 2021 hit $4.24 million – a 10% increase from 2019 – and an average cost of $5.72 million for incidents in the financial services industry.
Along with mitigating the costs of a potential breach, ZTA supports the ability to get and maintain cyber insurance. With the growing number of cyber-attacks and the costs associated with those attacks, cyber insurance payouts on claims have jumped from 47 cents to 73 cents for every dollar of premiums, from 2019 to 2020. As a result of that increase, cyber insurance providers are “cracking down” on insured parties, requiring that they demonstrate that they have strong cybersecurity controls in place. By implementing a ZTA, organizations can ensure they meet the requirements to maintain or obtain that coverage.
5. Can I afford it?
The scale and complexity of an organization’s security infrastructure can fluctuate based on a number of variables – staff size, industry, and compliance requirements – which impacts the cost of implementing a ZTA. When thinking about affordability, an important consideration is the growing cost of cyber-attacks, and whether your company can afford to lose income from the remediation period of an attack or the potential costs of an attack (think ransomware).
It’s not so much a question of whether your organization can afford it, as much as it’s a question of if they can afford not to.