Zero Trust: 3 Things to Consider

Zero Trust can help organizations increase their security posture. Here’s what you need to know.

Security spending increases annually, and breach rates continue to increase right along with budgets. In fact, a Forrester study found two-thirds of organizations experienced an average of five or more security breaches in the past two years.

Many industry leaders feel traditional perimeter-based defense strategies are outdated and failing, particularly because most security incidents are the result of insiders. Whether it is a mistake made by a well-intentioned employee or a malicious actor seeking to steal data for monetary gain, insider threats are at the heart of 75% of security breach incidents, according to some research.

This has security teams rethinking their approach to protection, with a security-from-the-inside-out mindset taking hold. Many organizations are looking into zero trust as the next best way to prevent breaches.

Zero Trust: Getting Started

If you haven’t heard much about it yet, zero trust is a framework developed by Forrester Research. The philosophy is just as it sounds: Trust no one. Always verify. For the organization that puts the framework in place, it means verification on an application by application basis before allowing access—even for insiders in the organization.

But before embarking on designing a zero trust model in your organization, be prepared to take these steps first.

Develop Your Strategy First Before Investing in Tools

Does implementing a zero trust strategy require a complete rip and replace of an entire security network? It depends on who you ask. Some critics say successful implementations are only realistic if it is baked in at the start of the initiative. But other industry analysis claims getting started simply can mean using existing infrastructure and deploying multi-factor authentication throughout the organization, which is an initial foundation for a zero trust model.

But before investing in anything, one of the most critical elements to remember when embarking on the journey is to design security from the inside out and not outside in, as many security teams have done in the past, according to John Kindervag, a former Forrester analyst who pioneered the zero trust model.

Another critical element to prioritize when developing plans is visibility, including a comprehensive inventory of all apps and devices, where data lives, how it flows across the organization and who has access to it.

Expect to Have to Change Minds

A redesign and redeploy of applications can be expensive and disruptive. Convincing some IT and security teams to rethink legacy network security may not happen easily, and moving to a zero trust model requires change that emphasizes simplicity and efficiency, Kindervag noted in a blog post. Some team members who have been working with traditional and legacy architectures could be a tough sell to convince that it’s time for a new direction.

Embarking on the journey to a zero trust model also will require new ways of handling cost management and staffing resources. Come to the table with an understanding of the impact and plans for approaching these factors under zero trust, if you want to get support.

You’ll Need to Make Both a Security and Business Case for Zero Trust

As security increasingly is seen as a business enabler, so, too, will the investment in zero trust. CISOs and security leaders who seek to persuade stakeholders of the benefits of zero trust will need to look to data to make the case why it is worth the time and budget.

One Forrester study found that organizations deploying zero trust are 66% more confident in adopting mobile work models and 44% more confident in securing DevOps environments.

But adopting a zero trust strategy in any organization is not a quick process. It requires layers of change across the enterprise and, for many, a shift and refocus in security strategy. Before taking a first step down the path, security leaders will need support and buy-in at all levels of the organization to make it work.

Joan Goodchild

Avatar photo

Joan Goodchild

Joan is a veteran journalist, editor and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

joan-goodchild has 37 posts and counting.See all posts by joan-goodchild

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)