By Jimmy Nilsson
A conversation about cybersecurity today becomes, more often than not, a conversation about zero trust. Driving this trend are the many challenges involved in adjusting to our new normal, from an increasingly decentralized workforce to the growing threat of data breaches.
But while zero trust might seem like just another buzzword, when the strategy is implemented correctly, it can arm your enterprise with a superlative defensive strategy—providing risk-based, adaptive protection throughout your operation. Also known as “deny by default” or “never trust, always verify,” zero trust considers all traffic as untrusted.
Beyond the obvious benefits of such an approach, such as reduced cyberattack risk, better-protected data, improved compliance, and the like, zero trust has the potential to change and improve the way your enterprise approaches security as a whole. It can also unlock new business and revenue opportunities.
Currently, there is wide implementation of zero trust models happening in both government and industry—as well as broad intent to adopt. General acceptance of zero trust as a new leading practice stems from the understanding that breaches are inevitable, a matter of when-not-if.
The reasons for the widespread embrace of zero trust are no mystery. Zero trust is a powerful model to help prevent financial loss. We’re all aware of how costly even one breach is, with average costs totaling $9.4 million in the U.S. and $4.4 million globally in 2022 alone.1
Kyndryl believes that, if done right, zero trust can help enterprises improve cybersecurity, user experience, and productivity, while also reducing risk of damage and losses. There are three key ideas that any enterprise should keep in mind when it comes to zero trust.
1. Change your perspective
The best place to start is by clarifying for all stakeholders involved what zero trust isn’t. It is not, for example, a fixed policy or product. And it’s not a tool dedicated to positioning a tech stack. Technology solutions, in fact, are just one slice of the zero-trust pie.
What zero trust is, is a shift in mind set. Historically, security operations have been heavily siloed—with one department in charge of identity verification, another endpoint security, another firewall, and so forth. Zero trust though is an enterprise-wide model, spreading across five pillars:
For a zero trust policy to work, the departments that handle these pillars must come together, spinning a cohesive and collaborative web of defense. While over the years we may have perfected the approach for siloed, defense-in-depth security architectures, zero trust now calls for a pivot to interconnected, defense-in-depth security architectures.
To make the shift, we need to take a close look at:
- How we approach security
- How we invest in security
- How we execute a collaborative approach across the five pillars of zero trust
Remote access example
Let’s look at remote access as a use case. It’s a Monday morning and a remote employee is logging into their New York-based employer’s network from their kitchen table in Denver. Once logged in, their first task of the day is to take a look at files in a folder stored on their organization’s cloud.
In a traditional perimeter system, the employee’s location or a simple, two-factor authentication is often enough gain entry—and significant access—to the company’s network. As this employee is not in the office, they might be asked to perform a simple, two-factor authentication, instead of location-based verification.
The problem is, if another log-in attempt is made using those same credentials just an hour later, in Dublin, Ireland, access could still be granted—as long as the conditions of the two-factor authentication are accurately replicated. But with zero trust, access would not automatically be granted.
How zero trust would improve the scenario
With zero trust, each remote access attempt is analyzed far beyond mere location or login. The zero trust model calls for various defense technologies to be designed and implemented in tandem across those security pillars, in order to make decisions not based on a static security policy, but rather on information from as many sources as possible.
In the remote access example, as the employee clicks through their login and navigates to a specific folder, zero trust architecture might kick off by analyzing the employee’s identity, as well as the security of their device. Zero trust architecture asks:
- Is this a corporate device?
- Has it been patched?
- Does it have the right security controls, from an identity perspective?
- Has this identity been used elsewhere at the same or a recent time?
- How can it leverage data analytics to analyze whether or not this user’s traffic is typical?
This zero trust ecosystem will also scrutinize the workload itself:
- Does the resource that the user is trying to access have any known vulnerabilities?
- If a threat is indeed detected, how is the system programmed to respond?
- Should traffic be shut down entirely or can access simply be reduced, without risking that the threat spreads?
Even if an active threat isn’t detected, zero trust demands continued vigilance. It asks: Are there any widespread security threats that the organization should be aware of and watch out for? And on top of this: are all these processes compliant with the latest industry requirements and regulations?
Only after all of these questions—across all of the security pillars—have been asked and verified by the technology and processes in place, does the employee gain access to the file they need. That is zero trust in action.
2. Approach zero trust in phases
At the risk of sounding harsh, we think that enterprises which jump headfirst into company-wide zero trust strategies are destined to fail. Zero trust model implementation should be an ongoing process, approached in phases. That makes the optimal place to start with zero trust implementation different for every enterprise.
Process-wise, however, the first step remains the same: determine your priorities. Establish what matters most to your company, from a risk-perspective. This is a key and fundamental starting point to any successful zero trust strategy.
For example, is your enterprise on the verge of a major tech transformation? Do you have an IT system full of critical business processes and sensitive data, that may be vulnerable to a breach? Then, apply that insight and enjoy the quick wins. From there, you can build momentum and continue to develop a tailored roll-out plan that makes sense for your enterprise alone.
Zero trust is a process with no real end point. Implementation is a question of years, not months, so it is important to remain focused on the real, tangible benefits of this strategy. Which is why we also encourage our customers to take advantage of new business opportunities.
3. Embrace new business opportunities
Once you’ve helped your enterprise understand zero trust and initiated a strategic implementation approach, the hardest parts are over. Now, it’s time to enjoy what this strategy has to offer.
First and foremost, zero trust opens new opportunities. It enables your team to conduct business in new, more secure ways and futureproof operations to better protect against increasingly sophisticated hacking methods.
Here’s an example: edge computing. Many enterprises have adopted edge solutions to develop new revenue streams across their business. Due to the nature of edge, however, data is becoming more decentralized than ever. This is exciting, as it creates chances to build novel, innovative solutions. But it also requires a new approach to security. This is where zero trust comes in.
By applying broader controls and verification processes, zero trust enables distributed workforces, and their distributed computing systems, to do work with sensitive data from wherever they are, more efficiently and more securely.
Jimmy Nilsson is the Managing Director and Global Domain Lead for Zero Trust, Kyndryl Consult.