Security leaders and their businesses need to constantly be prepared for new cyber threats. In fact, according to a recent survey, spending on cybersecurity in the first quarter of 2023 grew to $18.6 billion worldwide, a 12.5% increase since 2022. It’s not only the number of cyberattacks that are on the rise but also the accuracy and sophistication of these attacks leading to more successful and large-scale breaches that have organizations looking at cybersecurity through a more holistic and comprehensive lens to establish a more proactive defense.
The fundamentals of data security, access management, verifiable identities and strong encryption have never been more critical. As we continue to see data breaches increase, enterprises need to ensure their security strategy is future-proof and that the entire organization understands their security impact. Today, we are seeing more discussions and implementation around a new strategy, Zero Trust, that changes their perspective and views cybersecurity in a new way. And while this trending topic is top of mind across conferences and thought leaders - what does it really mean to have a Zero Trust strategy, and where should companies start?
State of Zero Trust and Cybersecurity
According to IBM, 83% of organizations surveyed have experienced more than one data breach, and 59% of these organizations didn’t have a Zero Trust strategy in place. For CIOs and their enterprises, traditionally the approach has been to lock digital entrances with firewalls to keep out threats. But today, CIOs and CISOs need to change their perspective and view cybersecurity in a new way - assuming the bad actor is already in the system and focusing on protecting their organization from a bad actor’s movements inside their operations. A Zero Trust approach helps ensure organizations can defend against and mitigate damage in the event of an eventual breach.
In the years coming out of the pandemic, security teams are still tackling challenges as a result of our rapid move to a digital, hybrid landscape. The potential cybersecurity threat landscape has rapidly grown as we moved data to the cloud and expanded hybrid work and remote work. Organizations have had to create new strategies to address these changes to protect sensitive systems and information while still allowing for enabling business growth to improve operational and business efficiency.
Zero Trust approaches are reshaping security in this perimeter-less, hybrid world. In fact, while only 1% have this framework in place, Gartner predicts that by 2026, 10% of large enterprises will have a mature, measurable Zero Trust program.
Why Zero Trust?
In 2022, the White House issued a mandate to implement Zero Trust frameworks for all government systems, and with CISA’s latest Zero Trust Maturity Model, government agencies and enterprises have a blueprint for planning out Zero Trust frameworks in their own organizations.
The CISA model outlines five distinct pillars: identity, devices, networks, applications and workloads and data. It establishes that there is no one solution to get to Zero Trust maturity - the implementation will take strategic backing, time, and investment. This model features four stages of maturity an organization must work through, and the model is not linear. Each organization will start at a different place based on its own capabilities and objectives.
The Zero Trust strategy extends beyond secure identities across users, applications, devices, machines, and workloads: it’s a comprehensive data security strategy for encrypting data at rest and in transit, spanning public and private cloud environments. Key to this approach is ensuring that you’re granting access to verified and authorized individuals when they need it. Applying those policies consistently can better protect your organization, no matter where the threat is arising from.
Zero Trust is based on the concept of “Never Trust, Always Verify” and has three key principles namely - Verify Explicitly, Least Privilege Access and Assume Breach:
o Verify Explicitly: Ensuring only verified and authorized users have access to the data and resources they need, can help protect against remote-based account takeover (ATO) attacks.
o Least Privilege Access: Access to data and resources is segmented based on role and responsibilities. High-value assets are secured by multiple layers of security, and key infrastructure, like servers and laptops, are encrypted and set up with appropriate backup and disaster recovery processes.
o Assume Breach: Assume a bad actor is already in your system, limit access and mitigate damage by segmenting users, devices and networks.
While many talk about applying Zero Trust, Zero Trust can mean and includes different strategies depending on the organization’s goals and existing technology. One company could need to focus more heavily on encryption, whereas another could need to update its legacy systems in order to put these practices into action.
A Zero Trust Journey - Where to Start
A Zero Trust strategy is not just a one-and-done solution -- it is a journey that requires consistent monitoring, maintenance, and improvements. In fact, for most organizations getting to a Zero Trust framework is a multi-year project, one that requires trusted partners, and the entire organization, to build your framework on a solid foundation.
At the start of a Zero Trust journey, companies must first define what Zero Trust means to their specific organization, and what their goals are. However, there is no straightforward path through the stages of Zero Trust. Organizations will start in different places and its leaders will need to determine their cybersecurity capabilities as well as their security and business objectives to determine the correct path.
There are three key components I look at when evaluating a Zero Trust framework:
● Phishing-resistant identity: Stolen or weak credentials are one of the largest causes of data breaches that we see. In fact, 51% of people reset their password at least once a month because they cannot remember it. Adaptive risk-based authentication is central to a Zero Trust framework, providing continual contextual awareness of user and device behavior. This can include phishing-resistant multi-factor authentication with certificate-based authentication, single sign-on, high-assurance passwordless login and more.
● Secure connections: Sensitive and confidential data currently moves throughout a hybrid network, both public and private, and all these connections and endpoints need to be secured with a digital certificate. In order to properly enforce a Zero Trust strategy, certificate lifecycle management becomes critical to ensure you have strong issuance protection for your certificates and can provide continuation of the key principle of never trust always verify.
● Secure data: Encryption, public key infrastructure (PKI), and key lifecycle management play a critical role in verifying access at every level. A Zero Trust strategy enables users and applications to securely exchange information with highly secure digital keys with centralized compliance management and decentralized key storage. Companies typically have several cloud environments (both public and private) and data storage solutions - security teams must look at the whole of their environments and how that data is protected
Zero Trust Strategies and Long-Term Success
While Zero Trust security is meant to limit privileges and access, this does not mean user experience has to suffer – it’s a balance between providing a frictionless experience and adding friction when necessary.
A successful Zero Trust strategy considers not only these three areas but ensures it is part of employees' daily lives and educates them on the role they play in an organization’s cybersecurity strategy. Teams need to regularly continue to evaluate their cyber defense strategies while also communicating with the organization often to get alignment and adoption. Staying ahead of cyber threats is a new growth vector for your business, not an inhibitor.
When done correctly, Zero Trust security can prepare enterprises for current and future threats.
Swaroop has more than 20 years of leadership experience driving growth in global high-tech companies. Prior to joining Entrust, he was President and General Manager of One Identity, a cloud-based cybersecurity company. Previously, Swaroop was Executive Vice President and General Manager of Proofpoint, leading the company’s email security business; and led the Enterprise Security Solutions product management and product marketing teams at Symantec. He also has held leadership positions at NetApp, McKinsey, and Intel.