Explaining Zero Trust to Technology Executives
Ransomware attacks, a hybrid workforce and cloud adoption (among other key factors) have driven interest in zero trust; the first three quarters of 2021 saw a doubling of Gartner client inquiry over the entirety of 2020.1 In addition, the call out of zero trust in the U.S. Executive Order on Improving the Nation’s Cybersecurity, issued on 12 May 2021, has only added to this interest from both government organizations and private-sector federal contractors.
What Is Zero Trust?
A zero trust architecture removes implicit trust (“This user is inside my security perimeter”) and replaces it with adaptive, explicit trust (“This user is authenticated with MFA from a corporate laptop with a functioning security suite”). However, the term “zero trust” is used in many vendors’ marketing to mean “better security” and as a new label on an old offering. This is far from the complete story — zero trust is an architecture that goes beyond the network and covers many aspects of cybersecurity.
Security architectures have typically been built on implicit trust — hardened perimeters at physical locations wrapped around “soft and chewy” interiors. When workers were remote, organizations extended the trusted network via VPN, thus creating an easy target for attackers. These resulting networks are fragile and inflexible. They are unable to defend against modern attacks or support modern business models that use a combination of managed and unmanaged endpoints, and where both users and data may be outside of any physical office or network perimeter.
Building an architecture that “never trusts, always verifies” connections and that assumes a bad actor is active at all times leads to highly resilient, highly flexible environments that are much better suited to the demands of the modern workplace. These networks will be much better positioned to prevent an incident or compromise from becoming a full-scale breach by both making the attackers lives harder and giving defenders more time and ability to react.
How Do I Explain the Business Value?
The business value of a zero trust approach can be embodied in three key words: resilient, adaptive and enabling.
Zero trust principles will increase the resiliency of IT infrastructure (for example, the network is designed to operate in the presence of an attacker, and to contain and manage an incident). This means that the likelihood of a business-impacting event (such as ransomware or a data compromise) can be reduced, with an associated reduction in risk to the business.
The future of work will be hybrid, so a modern working environment has to be flexible and adaptive. It must support remote workers, remote data (such as IaaS) and remote applications (such as SaaS). The architecture may restrict access, but it must be flexible enough to support an increasingly interconnected business. It must adapt to the needs of the business while allowing that business to thrive despite the threats enabled by being so connected.
Zero trust supports all these goals by using context and identity as the control plane and minimizing access to the least required to do the job at hand. This allows the business to work as required, and not to be inappropriately constrained by security controls. Users can have risk-appropriate access to resources from any device, any time and any location, and with the same security controls in place regardless of the situation. It enables the secure use of cloud computing and secure access to on-premises resources, and facilitates the migration from the latter to the former.