EDITOR’ S QUESTION

While awareness the Zero Trust approach and implementation of Zero Trust strategies and techniques are becoming more widespread, there are still organisations who haven’ t sufficiently implemented the principles that can protect them from threats posed by ransomware groups and other cybercriminals.

Ultimately, it’ s simply no longer feasible for organisations to consider any elements of the service topology as‘ trusted’. Rather than assuming any user or device on a network must have passed adequate security checkpoints and therefore can be trusted, organisations must utilise models which secure the data and assets those networks are there to carry, requiring continuous verification of trustworthiness in order to ensure computer security.

By assuming every action is potentially malicious and performing security checks on an ongoing, case-bycase basis, Zero Trust reduces successful attacks and protects organisations in the event of a breach as other data and assets remain secure, rather than being accessible by an attacker. Zero Trust ensures computer security for users, data / information, applications, APIs, devices, networks, cloud, etc., wherever they are – instead of forcing a“ secure” network within a company.

However, allowing Zero Trust to become a stationary target is itself fraught with risk. It is now clear that well-implemented, well-governed Zero Trust strategies really do mitigate the damage that a breach can cause. The problem is that anything highly valuable, whether it is a precious metal or a vital technology is vulnerable to error, hype, and counterfeiting. Enterprises must be sure that their approach to Zero Trust, and the tools they use to enable it, really do live up to the standards that the term promises and are continuously adjusted and updated as threat vectors and techniques continue to evolve. The‘ zero trust’ of Zero Trust lies in the fact that the authority to access those assets is never assumed, as it might be when users connect through a secured network; instead, access privileges are revalidated at each point of contact, and those privileges must also be assessed regularly.

To fight against cyber criminals, we need a shared understanding of what truly is( and, just as importantly, what is not) Zero Trust. Any organisation pursuing Zero Trust should start from a position of relying on

It is now clear that wellimplemented, well-governed Zero Trust strategies really do mitigate the damage that a breach can cause.

robust, open, tested, vendor-neutral definitions of the methodology, as well as standards and best practices, in order to assure that the systems they roll out really will meet the demands of future security threats. Moreover, implementing Zero Trust does not require a complete‘ rip and replace.’ Rather, organisations will be able to keep many of their existing tools and strategies in place while strengthening them with Zero Trust( and maybe eventually replacing them with better solutions).

The effort involved is worth it, though, because the changing nature of cyber threat is quickly outpacing the ability of the traditional security perimeter model to combat it. Malicious actors are becoming ever more skilled at moving laterally to points of value within networks once the perimeter is breached, and there is only so much that security teams can do to ameliorate that damage. p

JOHN LINFORD, SECURITY PORTFOLIO FORUM DIRECTOR,

THE OPEN GROUP

www. intelligentcio. com INTELLIGENTCIO EUROPE 33