We did Zero Trust before it was cool (It's basic security 101)
Written by Sonya Duffin, Director of Solutions Marketing, Ransomware and Data Protection Expert from Veritas
Zero Trust. Did the title make you click? Are you hearing Zero Trust discussed as much as I am? It is suddenly the latest buzzword of the moment, making its way beyond IT teams and into board rooms everywhere. And it is surely living a glorious moment in the spotlight!
I see Zero Trust used in so many ways, many different contexts, and referring to everything from products and companies, technologies, and functionality… it is everywhere. Zero Trust architecture, Zero Trust security, Zero Trust network, Zero Trust model, the Zero Trust enterprise, Zero Trust data protection, and my favorite Zero Trust summit. With all this usage and, frankly, misuse, the true meaning has become blurred and confused. Problematic misconceptions, like that Zero Trust can be bought with a single product, are spreading wildly, leading to serious vulnerabilities and consequences if Ransomware attacks.
So let's break this buzzword down.
What does Zero Trust really mean?
Let's start by pulling the textbook definition. The zero trust security model (also known as zero trust architecture, ZTA, or ZTNA) describes a "never trust, always verify" approach to designing and implementing IT systems. (Zero Trust Model was coined by Forrester Researcher, John Kindervag, in 2010 as a significant departure from the traditional security practice of "trust, but verify.")
Expanding further, it is an approach, which means that it is not just one single thing or a feature. It is a practice, framework, mindset, or a philosophy that encompasses not trusting any devices--or users--by default, even if they're inside the corporate network. This can include a large number of technologies, products, practices, and features that are built into not only the products but the culture and processes of the company. There should be continuous evaluation and verification of access to the network, ensuring that access is secure and authorized, every time and for every single access. We are talking about more than just users, but devices and workloads too!
But it is so much more than just the IT team or an IT charter. For a Zero Trust approach to succeed, the entire company must be aligned. Corporate culture, companywide processes, employee education, and a security mindset, must be paramount throughout the entire organization for Zero Trust to work.
Security teams across the entire organization must agree on priorities and align on access policies. Every single connection across the business, from data, to users and devices, to applications, workloads, and networks, must be architected to the zero trust strategy, with the ability to evolve and refine as needed. That means that there must be an organization-wide commitment. Zero trust architecture can include everything from identity and access management, data and encryption, to devices, workloads, network, and endpoint, but also includes monitoring with analytics and visibility and new technologies like AI, ML, automation, and orchestration. (Identity and access management includes Multi-Factor Authentication, which confirms user and device identities and dual approval confirms whether the user is doing "what" they are supposed to be doing.)
So, you can see how purchasing a single product that claims to bring you zero trust is just marketing fluff.
Why is Zero Trust such a hot topic right now?
One word: Ransomware. Cybersecurity is top of mind worldwide and with the threat of ransomware prevalent compounded with the challenges of securing a remote workforce, Zero Trust has been elevated out of the IT team and into every board room across the globe. Front line security tools and technologies, although being incredibly important, alone they are insufficient.
Adoption of a companywide Zero Trust mindset has been proven to help reduce the risk of a devastating attack. Further, if a breach happens, it reduces the attack surface or what is often referred to as the blast radius because it provides multiple layers of security that minimizes impact. For example, once in your systems cybercriminals often move across your environment searching for business-critical data, confidential information, and backup systems. With strong identity and access management controls, privilege controls, hardening, and secure hardware all built on Zero Trust, access to these areas is prevented. By continuously monitoring and validating users and devices, threats are flagged immediately and can be stopped before they reach maximum damage. Even more crucial today where environments are multi-cloud, hybrid, multi-identity with legacy and SaaS apps.
We recently invited Dr. Sally Eaves, Chair for the Global Foundation of Cyber Studies and Research, and our expert engineer, Dan Rodriguez, to discuss this highly misused and misunderstood buzzword, Zero Trust in our latest episode of Veritas L!VE. Titled, "Zero Trust--from buzzword to big deal," the guests had some fun on this one. A rugby ball even made an appearance! It was nice to see them having a little fun, but honestly, I enjoyed this lively discussion on Zero Trust.
The show kicked off with host Anthony Cusimano sharing, "It's not something that you can download, buy, or activate with one click." Sally chimes in with, "it a practice, not a product," which captured the tone right away. I enjoyed Dan's perspective as he shares, "You can't just buy a zero-trust product and think, 'I'm done, we are zero trust now… the things is, it's an evolution, it's an ongoing process. It is something that cannot be bought once and then forgotten about."
For me, the highlight of the discussion was Sally's point around "moving beyond cyber defense, and instead focusing on cyber resilience." Achieving this level of resiliency requires a lot more than just Zero Trust. Dan Rodriguez stated that zero trust is "something that not a lot of people seem to follow or are just looking to buy it, instead of culturally changing themselves for it." When considering IT security, we urge businesses to think beyond the buzzword and do like Dan said: focus also on "immutability, resiliency, and keeping up to date on your patching." Without a concerted effort at security and resiliency companies can be in a culture of zero trust and still be vulnerable.
I could not agree more with all their opinions, it's a very important and timely conversation. What concerns me the most about overusing and misusing Zero Trust as well as productizing Zero Trust, naming products as "Zero Trust solutions" in and of themselves, is how harmful that is to the seriousness of today's cybersecurity threats and how companies may think that they are safe, when they are extremely vulnerable. It is breeding so many misconceptions of the term. One single product or solution alone, is not Zero Trust. Moreover, let's say even if the solution solved Zero Trust, now hackers have just one solution to fool, and everyone would be back to square one.
How does Veritas help?
At Veritas, the Zero Trust practice has been part of our corporate culture for years--a huge advantage of having been conceived while we were still part of a security company. Everything that we engineer is built on that strong security foundation. We might not be screaming it loudly for all to hear with a tagline or headline on our website. It's table stakes for us. While many companies are scrambling to add security features to their products, Veritas products have embodied multiple layers of Zero Trust principles for years and are architected to enhance the Zero Trust architecture for all our customers.