It may be the latest conference catchphrase, but a zero trust model can help improve an organization’s security defenses. In order to benefit from this approach, however, businesses must first do their homework, Dave Lewis explains

COMMENT ‘Zero trust’ is a term that we hear over and over again at conferences and in various security news articles, but its definition seems to get muddied with each new company that decides it’s a zero trust player.

It reminds me of a time years ago when I was at the RSA Security Conference in San Francisco. I was wandering the floor speaking with various vendors and was gobsmacked at how many were suddenly “cloud” players.

I used quotes in that case because one such company caught my eye. They even had ‘cloud’ in the name, but after a prolonged discussion with the executive that they had in their booth, they finally relented and admitted that they had no cloud play whatsoever and that they were using the name to get attention from investors and customers.

It was an on-premise solution that didn’t even need to connect to the internet.

Today, we are seeing this behavior repeated yet again. When I walked through the vendor area for the last couple conferences that I attended, everyone seemed to have a zero trust angle to their pitch. And in many cases, they’re not wrong.

Wait, what?

That’s the kicker when approaching a zero trust model discussion. First off, a zero trust security approach secures access by your users, devices, applications, and networks. In many cases, you would be leveraging a lot of what you already have in place in your environment.

Asset inventories, account management, and network zone segmentation are all examples of things that your organization can and should have been doing for quite some time now.

Then we need to examine layering in multi-factor authentication (MFA). Static passwords have really outlived their usefulness, and we need to collectively examine a better solution. There are multiple ways to achieve this using things such as MFA using push-based technology, U2F, or even biometrics.

Before an organization goes diving headlong into this pool, however, they need to do some homework.

There are some critical pillars that need to be in place on the road to a zero trust, or trusted access architecture. One of the fundamental pieces of the puzzle is to have an asset inventory.

This is one of those items that usually can illicit an eye roll from a reader, but the number of companies that I have asked this question of and received a non-binary answer is not a small integer.

Once you have a handle on this inventory, you have the first step towards securing your workforce.

Next up you will need to set your organizational goals and expectations. Having done your homework as to what you are looking to achieve as an organization, you can then move forward to setting out your next steps.

Don’t buy products and services without having done the due diligence first.

Moving to a zero trust or rather trusted access design for your enterprise is achievable – it just requires some heavy lifting before ever talking to a vendor, so that you know what you need to accomplish your mission.

Less than zero

Back in 2010, John Kindervag, who was working for Forrester Research at the time, coined the term “zero trust”.

Prior to that, if we look back to 2003, we find that discussion on this issue was already well underway at the Jericho Forum with a paper on de-perimeterization.

The term zero trust managed to capture the attention of a wider audience – and now in 2019, we find it has really entered the common parlance of the day.