What is zero trust and why does it matter?
Author: Christopher Tozzi
In an era of expanding cyber risk, leading organizations are increasingly moving beyond traditional perimeter-based security methods—for instance the U.S. Department of Defense (DoD) has announced a road map to move to a zero trust architecture by 2027.
As zero trust is a major industry buzzword, it is helpful to understand the basics behind it and how to select a trusted partner to build your own road map to secure your network and devices.
What is zero trust?
According to NIST 800-207, "Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources."
Put another way, it means not trusting any entity on your network and disallowing communication between endpoints or other resources until you've vetted the entities and determined they're secure. A zero trust model requires continuous verification.
Importantly, zero trust infrastructure doesn't just apply to anonymous or unidentified resources, such as external endpoints trying to connect to a server you run. ZT can also be applied to internal resources, like virtual servers your IT team created or a personal mobile device an employee brings onto your corporate network as part of a bring your own device (BYOD) policy. Internal and external assets may contain security risks or vulnerabilities such as malware, so preventing them from interacting with other resources by default helps to minimize the chance of exposing your networks to attack.
How zero trust works
At a high-level, here’s how to put ZT into practice: Establish access controls or permission settings within your IT environment that prevent a user, device, application, server, or other asset type from connecting with IT resources until they've passed security checks.
Exactly how you do that, however, depends on which assets exist on your network and which tools are available for securing them. Most modern IT infrastructure components, applications and mobile devices offer some type of access control framework you can use to enforce ZT, but the frameworks vary.
For example, in an on-premises IT infrastructure, you'd typically use firewalls hosted within physical network switches or routers to control which devices can connect to which other devices. Alternatively, in a public cloud, you'd use the cloud provider's virtual networking and firewall tools to manage connection permissions. Access control tools that reside locally on individual devices, such as Linux user, group and file permissions settings, can also play a role in achieving ZT.
The importance of zero trust
Zero trust brings several key benefits to IT environments and organizations.
Containing risk
ZT helps ensure security risks on one resource won't spread to others. If you don't allow entities to exchange data or share resources with other entities until you've scanned them for risks, you significantly reduce the chances that a vulnerability on one entity will impact others.
Providing network visibility
Because ZT requires you to monitor for new entities on your network on a continuous basis, it helps ensure you always know what exists within your IT estate and the levels of access each entity has.
Lowering the burden on the IT team
By minimizing the ability of security risks to spread between devices or other endpoints, ZT reduces the amount of work IT engineers must perform responding to risks. Security incidents are easier and faster to address when they affect only one device, as compared to risks that have spread through the network by the time you identify them.
Enabling remote workers and BYOD
ZT plays a pivotal role in protecting against risks that might be introduced through unsecured IT equipment remote workers use or through personal mobile devices employees use for work under BYOD policies. Thus, zero trust infrastructure allows organizations to support remote workers and allow BYOD while still enforcing strong security standards. Posture management enables enforcement of ZT by assessing the "worthiness" of these devices to interact on the network.
Put simply, ZT helps organizations achieve higher security standards in a more efficient way. It also increases the flexibility of their workforces and networks by making it easier to connect a large number of devices without compromising on security.
How to build a zero trust infrastructure
Zero trust is a concept, and there's no specific tool or singular process you can implement to enforce it within your infrastructure. However, a practical and efficient way to get started with ZT at your organization is to adopt the practices discussed in the DoD's Zero Trust Strategy.
Those guidelines break the creation of zero trust infrastructure down into the following steps:
1. Establish a zero trust culture
Start by getting buy-in within your organization for zero trust as a principle. Educate stakeholders (such as managers, employees and customers) about the benefits of ZT and outline how it works.
2. Assess your zero trust infrastructure
Next, identify which resources exist within your infrastructure—such as stationary computing devices, mobile computing devices and applications. This is important for understanding which tools you'll require for enforcing zero trust policies within each resource.
3. Implement zero trust
Using access control tools that support each resource you need to protect, implement configurations that establish ZT. For example, on networking infrastructure, you can create firewall rules that block new endpoints from connecting to other endpoints until the new endpoints have passed security scans.
4. Support and extend zero trust
Most infrastructures are constantly changing, and ZT strategies must change with them. To succeed with ZT over the long term, ensure you have the staff and tools necessary to update policies and processes on a continuous basis.
The benefits of working with an experienced partner
As you work toward achieving zero trust within your IT infrastructure, you can benefit from working with an experienced partner. Verizon can share actionable insights from the analysis of 16,312 security incidents, of which 5,199 were confirmed breaches from the 2023 Data Breach Investigation Report (DBIR) which helps guide organizations of all sizes to implement robust cyber security policies and solutions to better respond to threats.
From core infrastructure components like servers to devices at the network edge to mobile devices and home networking equipment remote employees use, Verizon can help secure layers and facets of your network to help your business contain cyber risks. Learn more about how Verizon can help assess your cybersecurity risks and provide solutions that can help protect your organization.
The author of this content is a paid contributor for Verizon.