The evolution of Zero Trust: From network access to critical enterprise resources
Zero trust is a security framework that requires all users, whether internal or external, to be continuously authenticated and authorized on an organization’s network. It works on the premise that no device and no user behind the device should be trusted.
“Never trust and always verify,” confirms Prashant Mascarenhas, Vice President - Cybersecurity & GRC Services at HCLTech, speaking at RSA conference.
Fundamentally, the zero-trust model means that the identities of the users are always verified and authenticated at every layer of different enterprise resources, without creating friction in the organization and while reducing risk.
“From an evolution standpoint, zero-trust is at a point of controlling application and data access— critical enterprise resources,” says Mascarenhas.
With this evolution, the framework is now gaining significant traction, with Gartner predicting that by 2026, 10% of large enterprises will have a mature and measurable zero-trust program in place, up from less than 1% today.
The focus now is on how organizations can embed and implement an effective zero-trust framework.
Embedding a zero-trust framework
The first step in embedding an enterprise-wide zero-trust framework is to establish a zero-trust strategy that balances frictionless work and risk mitigation. According to Gartner, this should be led by the Chief Information Security Officer (CISO) and risk management leaders.
Crucially, it shouldn’t be forgotten that the foundation of zero-trust is identity. To effectively ensure controlled network and now application and data access, Mascarenhas recommends implementing a “strong identity access management architecture, which will help organizations move away from traditional role-based access models to attribute-based access models that can be used to make contextually relevant decisions”.
At the same time, he says that at the network layer, “organizations should shift from traditional network access controls to policy based remote access and device context-based policies, which can be applied on the network in real time”.
He adds: “Static policies can be broken, but dynamic policies, which are computed using attributes coming out of telemetric data from the network and applications can drive a higher level of security with the end aim of protecting data.”
In deciding where to implement the first rollout of zero-trust, Gartner recommends protecting the most critical assets, as this will yield the greatest return on risk mitigation.
It should be noted that zero-trust doesn’t represent a silver bullet. It’s a crucial component of developing a holistic cybersecurity strategy and key in helping reduce risk, but it must be combined with other threat detection technologies and frameworks.
The cybersecurity mesh
Gartner has referred to the future of security architecture as the cybersecurity mesh. This emerging architecture aims to consolidate all composable and distributed security tools to reduce complexity and improve an organization’s overall cybersecurity posture.
“The cybersecurity mesh incorporates individual security technologies and integrates them together for a unified policy across the entire landscape,” says Mascarenhas.
In this consolidated environment, zero-trust enables organizations to take network, application and data access controls and apply them across the entire landscape, including the devices, policies and tools that are being brought together under the cybersecurity mesh.
Upcoming Cyber Security events
Cyber Resilience updates
Sign-up to get the latest updates and opportunities from our Cyber Resilience programme.
Authors
Nick Ismail
Nick Ismail is the Global Head of Brand Journalism at HCLTech. He is responsible for delivering the editorial and content strategy. He previously spent 6 years leading the content for Information Age, a B2B technology publication headquartered in London.