As much as security leaders would welcome it, unfortunately, there is no silver bullet to combat cybersecurity risk. That's probably why Zero Trust is such a hot topic, especially for companies moving through their digital transformation. Zero Trust is not a technology, product, or solution. It's a conceptual architectural approach built upon an ecosystem that creates an environment for a holistic security posture.
Zero Trust is a combination of technologies, implemented within an architecture developed to support a holistic security initiative and strategy. I like to think about it in terms of fighting and winning a war versus fighting a single battle. Winning a war requires a comprehensive plan, strategy, and execution, that encompasses many different armaments, varied locations, individual battles, and diverse combatants.
Forget about 'coloring inside the lines'
Modern, digitally-enabled enterprises operate within a perimeter-less environment, with assets on-premises, and in the cloud. This creates a growing list of potential attack surfaces, including corporate offices, IoT, mobile users, and remote office workers. Enterprise borders are becoming virtualized and managed by a software-defined perimeter (SDP) that controls access to resources based on identity. The structure for this approach is fundamental to a Zero Trust "need to know" model, where every endpoint attempting access to a corporate asset must be authenticated and authorized before they gain entry.
You must consider the user experience
A Zero Trust architecture has many components to maintain a high level of security. However, it's important to build in the user flows and the user experience, as part of a Zero Trust model. Identifying every aspect of the flow process, and how it impacts the user, will create an environment conducive to a frictionless experience.
Organizations creating a Zero Trust environment that supports a quality user experience should also consider a federated single sign-on. This enables users with seamless single authentication, that is trusted among different systems and organizations. A Zero Trust architecture with contextual policies that tie into risk-based authentication plays a key role in simplifying the user experience and determining what, and how, a user within a merged environment can access corporate assets.
With Zero Trust, the whole is greater than the sum of its parts
Aggregating policies for risk, applications, users, devices, IP addresses, locations, and workloads; the myriad security and identity access management (IAM) tools and platforms; and multi-factor authentication, all contribute to creating a solid Zero Trust model. Application workloads are dynamic and move across diverse application hosting environments, including corporate data centers, and public, private, and hybrid clouds. A Zero Trust architecture must understand the dynamic nature of user behaviors and ubiquitous connectivity. This is where automation through AI and machine learning can provide continuous improvements in supporting and enforcing Zero Trust policies.
APIs are another element of a Zero Trust architecture that strengthen an organization’s security posture. API Gateways, with the OAuth 2.0 protocol and OpenID Connect identity layer, sit in front of corporate assets to extend identity trust mechanisms. This enables a consistent pattern of how user access tokens are granted. API Gateways implement security controls by acting as a broker between users and corporate assets.
From buzzword to reality
While Zero Trust may be a buzzword in security conversations, it's truly a necessity for any organization on a digital transformation journey. Those looking to strengthen their security posture will find Zero Trust a "must-have" in order to holistically integrate the interdependencies among users, devices, applications, networks, and data.