Understanding the Zeros Beyond Zero Trust
Zero trust is a popular cybersecurity model, so much so that speakers at OpenText’s Enfuse 2019 conference said we are now living in a zero trust world.
However, while zero trust is the umbrella, there are a lot of other zeros out there that must be managed to give organizations a more complete and robust level of protection. For example, some of the zeros that we have to be thinking about include:
• Zero IT (everything is moving to the cloud and off-premises)
• Zero people (the rise of automation and AI)
• Zero risk (eliminating downtime and other party risks)
• Zero bias (algorithm governance)
• Zero-day threats (which are getting stronger)
Not too long ago, companies put their money in a vault at the end of the workday and didn’t worry about it again until the next morning, said Jason Sachowski, global head for cyber and security investigations at Scotiabank, one of the speakers at the recent conference. That’s impossible today in our internet-connected world. Data is now a company’s most valuable asset, and a company can’t simply turn off the computer and forget about it at the end of the day. Rather, security and protection are a 24/7/365 responsibility.
Impact of Digital Transformation
“Zero trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access,” CSO defined the term. For many, this is often limited to the data transmitted across the network.
But as more organizations undergo digital transformation, there is a greater need to consider the impact of everything being connected. And that means we have to expand the reaches of zero trust. It also means understanding how to best address the blend of human behavior and technology. Everything might be connected but, Sachowski pointed out, you don’t have technology without humans.
“Humans are our greatest asset but at the same time, they’re our worst enemy,” he said. There is still a gap between knowing what to do and actually doing it. “We don’t practice what we preach.”
Hence, the rising dependence on technology to provide the layers of security we need now. Systems need to run efficiently and at a scale where everything is aiming for the zeros mentioned above.
The Wild Cards of Zero Trust
There are platforms designed to help organizations achieve that zero balance at scale, so the technology is available. However, there is a familiar wild card that makes zero trust more difficult to achieve: third parties.
Third parties are low-hanging fruit for cybercriminals, and their behaviors are out of our control, said Sachowski. If you want your organization to improve its chances of achieving the power of zero, more must be done to monitor and manage third parties. “We have to make sure they are secure and not putting us at risk,” he said. This includes cloud partners—as organizations look to achieve that zero IT and have more of their services in the cloud, somebody has to be looking out for the security of the data that is stored and accessed there.
But there is a less familiar wild card out there, and that’s the new-generation workforce. Younger adults have a very different relationship with technology, data, privacy and security than the older workforce that leadership is used to dealing with. “We need to give the right tools, the right processes [and] earlier education surrounding security,” he said.
Zero trust isn’t just not just verifying everything before granting access. It is beyond data. It is understanding all of the technology—and the people—surrounding your network. It is creating an environment that anticipates attacks such as ransomware and DDoS and has the tools to address them before they happen.
The goal is to live in a zero trust world, but there are a lot of other zeros to take into consideration before we can reach that point.
