Mastering A Zero Trust Security Strategy
Mastering A Zero Trust Security Strategy
Mastering A Zero Trust Security Strategy
The concept of zero trust security is simple. Trust no one, every time. Regardless
of previous actions and permissions, zero trust demands revalidation for every
transaction, person, device, data access, network location or connection – every time.
WANING TRUST
Around the world trust is waning. With billions of transactions online daily, we ask customers to trust
our organizations with an ever-wider array of sensitive information. But with more sophisticated
breaches and scams, that trust is being tested. Adding to the complexity is consumer expectation to
access services, securely, across multiple devices.
Technology is advancing at such accelerated speed that even some of the largest tech companies
in the world are revisiting development that may put customer security and privacy at risk. Both
Facebook and IBM announced they will no longer develop facial recognition capabilities. Smaller tech
organizations may find themselves launched into the mainstream before they have robust protections
in place.
MANAGING RISK
Security professionals play an important role in
managing risk to protect customers, vendors and the
executive board.
A zero trust security
Organizations that fail to address advanced persistent
threats (APTs) and vulnerabilities open themselves up
architecture approach is
to mass exploitation from threat actors that can be based on the premise that
escalated and weaponized at speed. organizations should not
inherently trust any systems
Today, the volume of data and reliance on business
processes, both on premises and in the cloud, coupled
that connect to or interact with
with the complexity and interconnectedness of data their technical infrastructure
across multiple organisations, requires a zero trust and/or networks without
strategy and relevant control frameworks to protect verification and validation of
against security incidents. their need to connect and an
Pitfalls of existing security models can include: inspection of their security
posture and capabilities.
• It is impossible to identify “trusted” interfaces
— John P. Pironti, CISA, CRISC,
• The mantra “trust but verify” is not taken seriously CISM, CGEIT, CISSP, ISSAP, ISSMP,
President of IP Architects LLC
• Insider threats
• A formal data architecture that defines data communities, associated users’ and users’ data paths
• Use of servers, virtual machines and cloud services capable of separating data communities
1 2 3
The policy engine is The policy administrator is The policy enforcement point
responsible for deciding to responsible for establishing is responsible for enabling,
grant access to a resource for and shutting down the monitoring, and eventually
a given subject. communication path between terminating connections
a subject and a resource. between a subject and an
enterprise resource.
SYSTEM ACCREDITATION
There will always be threats that diminish trust,
but mutual understanding and assurance still can While the cyberthreat
be accomplished using standards, frameworks landscape remains daunting,
and prioritizing improvements using objective the rise in awareness and
evaluations. adoption of zero trust serves
as an important source of
optimism in the security
community.
— Gregory J. Touhill, CISM, CISSP,
Brigadier General (ret.), ISACA
Board Chair
Source: Five Key Considerations When
Adopting a Zero Trust Security Architecture
Read more:
Does trust still matter in the era of zero trust?
Five key considerations when adopting a zero trust security architecture
Zero trust
Listen to “The rise of zero trust explained”