Zero-Trust: A New Buzzword That Ought to Stick

It has been a couple of weeks since RSA Conference, so I thought I would share some observations on the cybersecurity industry in general and what I believe needs to be employed into every enterprise that has crown jewels…or at least important customer and corporate data or critical industrial control systems.

At RSA, I was fortunate enough to visit some cybersecurity technology vendors who claimed their next-generation AI data-driven threat intelligence platform would combine endpoint protection with deep learning behavioral and network analytics in a zero-trust model in order to realize an actionable real-time reduction in risk.

That’s right, I went to all 37,455 booths!

Kidding aside, CISO and other buyers of security technology must contend with a dizzying array of technologies and buzzwords popping up over the last several years in the Cybersecurity Industry. One of the newer entries becoming UBER popular is “Zero-Trust.” This term essentially means enforcing least privilege and never trusting, always verifying. This means all users should use strong authentication (2FA), have granular authorization to a system or application, and should always monitor system access.

The employment of Zero-Trust may sound draconian at first, but this concept forces strategic thinking into the equation of how to mitigate risks. It additionally has the potential to eliminate many duplicative data-driven reactive technologies, as well as many of the current buzzwords, or at least make them just a subset of Zero-Trust. This is a huge bonus, since true employment of this principle and methodology would actually radically reduce risk across every organization.

The best analogy I can think of today of a Zero-Trust model being used is your local bank. Banks employ “Zero-Trust” every day in their branches.  Why? Because they are protecting a really important asset: cold hard cash. A bank employs debit card and pin numbers (2FA Authentication) and users are only authorized to access cash in their account (granular authorization). You also have to have a special key to get into a deposit box in a vault (application micro-segmentation). Every time you access cash, there is a transaction ID and other details (session logging). There is also a security guard and video cameras (continuous monitoring and recording of access). Sure, there will still be a few bank robbers willing to take the risk – but most will be deterred because of Zero-Trust.

In the first few years of this century, we had desktops and laptops with anti-virus, a corporate firewall, and maybe an intrusion detection system at the perimeter, and we were reducing corporate risk.  Zero-Trust wasn’t as important because there were only a few bank robbers and millions of organizations. This was the old world.

Today, the world is hyper-connected. We now communicate data more over mobile devices than with laptops or desktops. We have an internet of things both at home and in our workplace that communicate on their own. Piling on more analysis to all of this communication to find threats with a limited talent pool dissecting this data is, at best, arduous and, at worst, entirely fruitless. We also now have millions of “bank robbers” because they know most organizations are not employing a Zero-Trust model.

We must build a better foundation of security where we are not drowning in data to be analyzed and buzzwords to be digested. Zero-Trust is the foundational model that every organization trading in data or systems protection needs to employ.