Zero-Trust 101: What it Is and How to Implement It

There’s no shortage of zero-trust hype in the cybersecurity realm. Analyst firms, vendors and security leaders alike are touting it as an effective solution to help bolster cybersecurity defenses at a time when attackers are continuing to wreak havoc in business. Though I typically caution enterprises to tread carefully when new buzzwords emerge, in the case of zero-trust, signs are pointing to the notion that it’s not just another passing fad.

Microsoft’s 2021 zero-trust adoption report found that 96% of security decision-makers believed zero-trust is critical to their organization’s success, and 76% of organizations have at least begun implementing a zero-trust model. The White House is leading the way on this front after releasing a strategy in 2022 mandating that all federal agencies move toward a zero-trust architecture by 2024. And yet, there are credible skeptics who argue that frameworks like zero-trust aren’t feasible for many businesses struggling with basic cybersecurity hygiene.

In hopes of demystifying this concept, let’s unpack exactly what zero-trust is and outline practical tips for how organizations can begin to adopt it as a framework.

What is Zero-Trust?

Like many technology buzzwords, zero-trust is frequently used yet rarely understood. The most important thing to understand is that zero-trust is not a single technology, but is instead a framework built on the principle, “never trust, always verify.” In practice, this means that in the design and management of an IT environment, users must be continuously authenticated, verified and authorized, regardless of whether they’re inside the business.

Zero-trust has been quietly on the rise for several years but has started gaining increased traction as enterprises become increasingly distributed. The attack surface is now significantly larger, rendering traditional perimeter-based defenses effectively obsolete. Though no security strategy is foolproof, zero-trust is seen as an effective strategy to reduce the attack surface, better segment devices, limit threats and protect critical assets.

Barriers to Entry

Adopting zero-trust is not as simple as flipping a switch—there are key obstacles to a successful implementation. One of the central challenges is that zero-trust architectures must implement what’s called “least-privilege access.” This means employees are only granted permission to access the corporate resources that are critical to doing their specific job. The problem is that IT and security teams don’t always know exactly what permissions each individual person should have (an issue that gets more complicated the larger your organization is). Complicating the situation further, people change positions and job titles all the time, meaning permissions also need to change continuously. As a result, the ongoing administration and management of zero-trust can be both time-consuming and complex.

Another key barrier is organizational silos. Zero-trust architecture requires collaboration and communication across the business. To effectively determine appropriate access controls, IT teams need to understand business processes and be looped in across departments and leadership. As we know, that’s not the norm in most organizations. Many IT and security teams are highly isolated and only approached when something goes “wrong.” Success in zero-trust requires proactivity, which starts with proactively elevating IT and ingraining them across the organization.

Finally, the last obstacle: Many security teams are struggling with cybersecurity as is. Deploying basic patches and maintaining accurate asset inventory is difficult enough, and now we’re throwing them an entirely new modern playbook. I position zero-trust as a longer-term goal—it doesn’t happen overnight. But with iterative steps over time, I believe it will actually mitigate and ease many of the challenges security teams have today. That said, for organizations currently dealing with severe tech staffing shortages, partnering with MSSPs can be an effective way to kick-start zero-trust initiatives.

How to Get Started

If you’re feeling the pressure of implementing zero-trust, retail therapy is not your best coping mechanism. Shopping vendors and various foundational solutions might make you feel temporarily better because you’re “checking the box,” but the tech is the last order of business. There are two important steps a business needs to take beforehand.

First, identify the areas of your business where the most risk lies (in other words, where would a security failure have the biggest consequence). For example, the production line would be of the greatest importance to an auto supplier. Determine that critical area for your business and start your zero-trust efforts there. And remember that just like a business won’t “digitally transform” overnight, it will not “zero-trust” overnight. Start with priority parts of the business and incrementally build from there over months and years.

Second, as previously mentioned, IT and security teams need to understand business processes, confirm how many connected users there are and map out appropriate permissions per job function. This planning phase is crucial and will require open and consistent lines of communication across IT and business leaders.

After those initial steps are taken, it’s time to research and vet the types of technology that can underpin a zero-trust approach (e.g., IAM, ZTNA, etc.) and start making the necessary purchases. Remember that there’s no silver bullet–it will take an open ecosystem of tools working in tandem. It’s important to choose a vendor that approaches zero-trust holistically across the entire network, from remote access to local campus access. Any solution must be pervasive and able to scale with the needs of the organization without complicating network management.

The cybersecurity space tends to move quickly, the market fluctuates, and new concepts and categories emerge every few years. But in the case of zero-trust, it’s the real deal—and organizations that start the planning process now will be well-positioned for a more secure future.

Avatar photo

Markus Nispel

Markus Nispel is Chief Technology Officer for EMEA at Extreme Networks. With over 20 years of experience in management and marketing across the telecoms and networking sectors, Markus brings invaluable expertise and leadership to the company. He previously worked at Cabletron Systems.

markus-nispel has 1 posts and counting.See all posts by markus-nispel