As a business leader, it may be counterintuitive to talk about "zero trust". After all, trust is what most of us are trying to establish. A recent Gartner report, however, recommends having none of it.
When it comes to trust, most business leaders will likely emphasize its importance as a fundamental pillar in any organization. A trusting environment is widely praised to have more streamlined decision-making, higher adaptability, and lower levels of stress. Some argue that trust promotes ethical behavior and binds the organization together.
In this context, "zero trust" almost seems at odds with several positive traits in the workplace. But when it comes to cybersecurity and IT systems, the zero-trust security paradigm is winning ground, according to a recent Gartner report. The consultancy draws on data from Verizon's 2022 Data Breach Investigations Report, as well as a slew of legal recommendations and strategies from US authorities to argue that zero trust limits organizations' exposure to current cyber threats.
What is zero trust?
Zero trust is not a product or a technology, but rather a paradigm or approach to security applied in IT systems. It is based on the principle of “never trust, always verify”, regardless of whether a user or system is inside or outside the network perimeter. It mandates that each access request is validated and authenticated before access is granted, which helps ensure a higher level of security across digital environments.
From perimeter security to locking every door
Conventional security systems focus on securing the perimeter of your organization and letting everyone on the inside have more or less implicit access to anything they want. Under a zero trust paradigm, however, it’s not only your perimeter that is heavily guarded – the same access rules and verifications apply to any actions you are taking on the inside. It means that access to sub-systems or content anywhere else in the system is denied by default.
Cumbersome and not user friendly, you say? Yes, if a zero trust strategy is implemented haphazardly, moving from "implicit access" to "default deny" can impact both efficiency and innovation. But Gartner has an answer to that in their “2023 Strategic Roadmap for Zero Trust Security Program Implementation".
3 recommendations for implementing zero trust
First, Gartner recommends selecting specific use cases where zero trust will be applied first, with a risk-based approach. Depending on your business, you may want to limit the exposure of your applications and services, or restrict the lateral movement of malware, or take actions that might help isolate specific types of attacks.
Second, it is important to map and fully understand the current capabilities of your existing identity and access management technologies – before investing in new zero trust technologies.
Third, you need to plan ahead to address organizational resistance. Nobody likes to have privileges removed, even if this includes access privileges to content that is not used by or relevant for the people of teams they have been extended to. Moving to a zero trust paradigm is something the entire organization needs to do together and investing in creating solid understanding – both for the "why" and the "how" – is crucial.
As with all changes that have an organization-wide impact, it is essential to emphasize manageability, consider the scope of deployment and the potential adverse impact on user experience. A zero trust strategy implementation does not need to happen overnight or at the same pace everywhere. But it does need to have a clear roadmap and be clearly communicated – again and again – to employees and leaders.
In a volatile, uncertain, complex, and ambiguous world where cyber resilience and robustness have been bumped up the priority list, successful zero trust deployments are likely to give organizations a competitive edge. Having a partner – a client, a vendor, an ecosystem contributor – that trusts no one with your organizational data, is a partner who will also help protect you.
Read the full report here for further guidance on how to get started with zero trust strategies: 2023 Strategic Roadmap for Zero Trust Security Program Implementation
- Meet & collaborate securely
- Secure meetings
- Secure collaboration