Understanding Zero Trust

The traditional IT environment was secured just like medieval castles, with defensive mechanisms on the external perimeter to protect assets within the IT environment. Unfortunately, this was never sufficient, but a combination of a lack of tools and a more disconnected world led to the false belief that the environment was secure. Everyone working and connected within the IT environment was presumed safe and trusted; the only verification required was before they were allowed in. Anyone outside was denied entry or access to resources inside.

Today, with the current hybrid work-from-home environment, users who previously mainly resided and worked within the local IT environment are now dispersed and remotely accessing enterprise resources they need to perform their duties. This, along with other business strategies such as extended enterprises, has increased the available attack surfaces for majority of organizations.

Many devices connecting from the outside are not always fully compliant with up-to-date security safeguards, leading to compromised networks. In today’s dynamically evolving threat landscape, even enterprise users or systems connected remotely can no longer be trusted as threat actors have taken advantage of several vulnerabilities leading to increased risks of ransomware attacks and/or data breaches.

For example:

• The average ransom demand climbed 144% between 2020 and 2021, to $2.2 million, according to a recent report from Palo Alto Networks’ global threat intelligence team Unit 42.
• Per a 2022 Gartner report on ransomware in midsize enterprises, 82% of successful ransomware attacks in 2021 targeted companies with fewer than 1,000 employees, and 90% targeted businesses with under $1 billion in revenue. The average ransom paid by a mid-market organization was about $322,000.

Organizations in both the for-profit and not-for-profit spheres are struggling to obtain cyber insurance, losing value, and incurring reputational harm and other negative publicity, all because of poor cyber hygiene, and in many instances due to their leveraging outdated techniques and approaches to cybersecurity.

It is now becoming and will continue to be a customary practice for organizations to operate in an IT environment that includes several internal networks; remote offices with their own local infrastructure; remote and/or mobile individuals accessing corporate resources; and the integration and increased use of cloud services.

With the number and size of threat vectors growing rapidly, users, devices, and networks can no longer be trusted, irrespective of whether they are connected within or outside of the enterprise IT infrastructure. The need for a new, more robust cybersecurity model or framework that facilitates well-informed risk-based decisions on people, process, and technology has become critical.

That is where the concept of Zero Trust, or ZT, comes in. As described in the National Institute of Standards and Technology’s (NIST) primer, Zero Trust is built on the premise that “trust is never granted implicitly but must be continually evaluated.” Despite the name “Zero Trust” or “Zero Trust Architecture,” this is not all just the usual technology architecture. People, processes, and technology all need to be evaluated, enhanced, and changed for ZT to work effectively.

“Zero Trust security models assume that an attacker is present in the environment and that an enterprise-owned environment is no different – or no more trustworthy – than any non-enterprise-owned environment,” NIST states. The typical model is built on the premise that no implicit trust should be granted to assets or user accounts based solely on their physical or network location (i.e., local area networks vs. the internet) or asset ownership (enterprise or personally owned). Zero Trust focuses on protecting individual enterprise resources – data, devices, applications, transactions, etc. – vs. the network itself, as the network location is no longer seen as the prime component of the resource’s security.

Every request for an enterprise resource needs to be evaluated continually for risk and based on risk evaluation adequate action is allowed to be taken. In most cases, the decision-making and risk evaluation process for the end user will be mostly performed behind the scenes. In others, they will need to “do something,” such as multi-factor authentication (MFA) or a CAPTCHA.

Organizations should understand that Zero Trust is not a “product,” but instead a “cybersecurity mindset.” There is no single product that will satisfy all use cases and architectural needs. Most organizations already have some foundational pieces of a Zero Trust Architecture in place; what is required is enhancement and maturity of the current practices to align with and support the principles of ZTA. First steps include examining current and future needs, especially for strategic business growth and ensuring compliance with regulatory requirements.

Zero Trust is not a sprint, but a journey. A well-implemented ZT strategy leads to business and operational transformation over time and enhances the cybersecurity posture of an organization.

Contact our team for more information or to get started on your next steps.

Bhavesh N. Vadhani, CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy

703.847.4418

Adonye Chamberlain, Manager, Cybersecurity, Technology Risk, and Privacy

703.744.7409