Zero Trust – It is for every organisation

Zero Trust – It is for every organisation

As a cyber security executive in the enterprise space for a number of years, I have seen a lot of marketing terms come and go without much substance behind them. Zero Trust, however, is something special if it is understood properly.

Zero trust is, in a tagline, the concept that “no one and nothing has access until they’ve proven they should be trusted”, but it’s a bit more than that. It’s changing our approach to security to prepare for the modern technology world and current threat landscape. This involves:

  • Accepting that your users and their devices could be working anywhere, anytime and applying security controls to prepare for that.
  • Accepting that data is going to leave the perimeter and applying security controls to reduce risk of data exposure in unsanctioned places.
  • Accepting that third parties (SaaS, Contractors, Partners) need to receive, store and share sensitive data with your organisation and applying the necessary security controls,
    assessment processes and legal clauses to reduce risk.
  • Accepting that an attacker could be inside your systems at any time, and segmenting your network to reduce the blast radius.

The above are a reality in most, if not all, organisations.

Some organisations may think they don’t need to start their Zero Trust journey, since all their valuable assets are still inside their perimeter. But your users (and their devices and data) are more than likely not. Our workforce are now tech-savvy and are more than capable of signing up for a third-party SaaS application or Cloud storage account themselves and beginning to share organisational data there. They do this already in their own personal lives and a large percentage of our current workforce has grown up using technology their whole lives. The old assumptions that IT can intervene on all new technology initiatives since users won’t know how to do it without involving IT are no longer accurate.

Once we accept the current situation, we can start to build a pragmatic roadmap that aligns with a Zero Trust framework, so that Cyber Security can join the business on this journey, instead of being left behind and forever responding to incidents.

Until next time.

Lee Roebig

Chief Security Advisor