The zero trust approach to enterprise security proposed by analyst firm Forrester Research nearly a decade ago can be challenging to implement. You need a clear understanding of the changes it entails and the impact it can have on the user experience.
The model emphasizes robust user authentication and device validation over network and endpoint security as key to protecting applications and data against new and emergent threats. Instead of having enforcement mechanisms at the network perimeter, zero trust focuses on moving them as close as possible to the actual application or surface that needs to be protected. Users and devices are not automatically trusted simply because they happen to be behind the enterprise perimeter or on a trusted network.
“Zero trust is a thought process and approach about how to create your organization’s cyber security posture,” says Steve Dyer, CTO of Respond Software. “Conceptually, it boils down to ‘don’t trust the network whether inside or outside the perimeter’.”
Implementing the model requires thoughtful planning and recognition that zero trust is a journey and not a destination. “Vendors are jumping all over zero trust as the next big thing they can hang their existing platforms on,” Dyer notes.
In reality a lot of what’s involved in implementing the model is boring, unglamorous work to create and maintain policy around data access and authorizing access to applications that read and write that data. “There are no silver bullets. The heavy lift will be on the internal teams since they understand the business drivers and core assets,” says Dyer.
Here are some of the key steps that Dyer and others believe are necessary for organizations to take when starting on the road to zero trust.
More from my site
- Model-driven security: using unconventional controls to stay ahead of threats
Whether you’re a newly minted or battle-hardened CISO, the environment you’re chartered with protecting is likely full of what I call conventional controls.These mechanisms provide the […]
- The thin host to serverless model is radically realigning your security responsibilities
In the not too distant future, the majority of new enterprise software deployments will be cloud-native, forever altering the information security team's core responsibilities. […]
- 5 cyber security basics you can’t afford to ignore
The recently discovered vulnerability involving fax lines on HP multi-function devices, termed Faxploit, are a reminder of the importance of fundamental security practices.
I did […]
- Mastering email security with DMARC, SPF and DKIM
Phishing and email spam are the biggest opportunities for hackers to enter the network. If a single user clicks on some malicious email attachment, it can compromise an entire enterprise […]
- 11 tips for prioritizing security spending
You know all the security advice. You need to have a solid firewall. But it's not enough to defend the perimeter anymore, so you need total visibility into your internal network as well. […]
- How to speed up security tool evaluation and deployment
With the rise in both the volume and variety of cyber threats, it seems there are now specialized tools for almost everything.This was never more obvious than at the latest RSA […]
- 3 reasons why security automation is as cool as blockchain
In October 2017, Forrester published one of its most popular reports, The Top 10 Technology Trends To Watch: 2018 to 2020.According to the report, a “dawning trend” is that automated […]
- Cloudy future for security analytics
When you think of security analytics and operations, one technology tends to come to mind — security information and event management (SIEM). SIEM technology was around when I […]
- Ping Identity review: Bringing identity management to security defenses
For many organizations, even those with advanced cybersecurity maturity, the concept of identity management has always been a bit of an afterthought. Logging into a network is normally […]
- Best new Windows 10 security features: More patching, updating flexibility
With the new era of Windows as a service, Microsoft is rolling out changes to the operating system twice a year. Many of those changes will allow you to improve your security […]