Should You Trust Zero Trust?

One of the hottest trends in security today is Zero Trust.  It’s something that has grabbed everyone’s attention and is being mentioned by basically every software and hardware vendor out there today.

We’re going to take a more practical look at Zero Trust and cut through the hype to get to the bottom line – what’s Zero Trust and what do I need to do?

What Problem Does Zero Trust Solve?

Before implementing any hot new technologies in our environment, it’s important to tie it back to business value.  Why would I contemplate using Zero Trust?  What does it fix in my environment?

I’ve got a single word for you to show you why you need to pay attention to Zero Trust – ransomware.  Ransomware is one of the biggest threats to any environment today and something the business is absolutely paying attention to.

What problem does Zero Trust solve in the context of ransomware?

The goal of Zero Trust is to Trust No One (bonus points if you got the reference).  This architecture focuses heavily on identity and access management.  There’s no inherent trust as a user carries out their activities throughout the environment, they work in.

Now switch out users with threat actor.  If someone gains access to your environment, that means they cannot traverse through and wreak havoc.  They can’t get to AD, they can’t get to your VMware environment, and the damage they can do is limited.

What to Know Before Exploring Zero Trust

There are some important things to remember before exploring Zero Trust for your environment.  First and foremost, while it can reduce risk, it’s not the silver bullet solution to save organizations from being hacked.

Zero Trust, like many fundamental shifts in architecture, is a journey and it will take different organizations different amounts of time to get there.  Unfortunately, you cannot go out and simply buy a Zero Trust and apply it to your whole environment at once, no matter what software vendors may want you to believe.

How to Get Started with Zero Trust

When it comes to getting started with Zero Trust there are many considerations from the business level down to the technology level down to the user level.  While many organizations may be tempted to go all in on Zero Trust out of the gate, the complete opposite approach will yield the best results.

Identify the area to start with.  This could be an at-risk user base, or perhaps even the crown jewels of applications or data in your organization.  By starting small with one area, you can prove to stakeholders and users alike that the model will be successful.

Once you figure out the area you are going to protect first, take a look at the tools you already have in your environment.  The good thing about so many vendors getting on the Zero Trust bandwagon is you may not need to go out and buy a Zero Trust!  You may already own the tools you need to be well on your way.

Then the work starts, and this is where it is good to have some executive buy-in.  Changes may need to be made to the way things are done today to successfully implement the Zero Trust architecture.  Your users may even see changes in their day-to-day operations based on how things work today.

A successful Zero Trust implementation will maximize security while minimizing the impact on users (some of which may also be your stakeholders and champions).  Just like with any security controls, it’s always a difficult balance to strike.

Should we all be evaluating Zero Trust for use in our environments?  Absolutely, but this does not mean there is a single-point solution that will solve our problems or that the road will be easy.  Be sure to take a listen to the vendors you already have in-house that are now speaking the Zero Trust language but be sure to take what they say with a grain of salt.