Simplifying Zero Trust
Q&A with Jay Hira
1. What is Zero Trust and how does it transform the conventional approaches to cyber security?
Once upon a time, in the world of cyber security, we relied on an approach where the trust in a user was determined whether they were inside or outside the perimeter. It was like having a big, strong front door with a lock. If you were outside, you couldn’t get in unless you had a key or knew someone who’d let you in, but once you got in, you had free access to roam around.
Then, in 2004, at the Jericho Forum, some brilliant minds came together with the concept of deperimterisation, challenging the notion of relying on this big strong, front door with a lock and realising the need to strengthen every room inside the house or at least those that needed the protection.
Fast forward to today, and we have Zero Trust, a strategy that enforces the foundational principles of:
- Removing default trust in a network, a user or a device and relying on authentication and authorisation at every step. It’s like having a vigilant security guard at each room, asking for identification and validating before granting access.
- Prioritising business first and aligning security initiatives that deliver business value. Zero Trust isn’t just about locking things down. It is about empowering the business to thrive safely.
- Adopting assumed breach posture and planning for capabilities to detect, respond to, and recover from a breach. It’s like having smoke alarms, fire suppressants and emergency exits to be prepared for a worst-case scenario.
- Adopting Zero Trust as an incremental strategy that shifts the dial from unreserved trust to Zero Trust. It’s like gradually upgrading our home security system, one step at a time, to ensure maximum protection.
- Reducing reliance on the perimeter to limit the movement of an intruder from moving around freely in the house to cause damage.
2. Why should business leaders adopt Zero trust?
Most businesses still heavily rely on the castle-and-moat approach to security. It was reasonable at the time it was created to think that systems could be completely sealed off from external threats coming from untrusted networks. Our modern businesses have a mix of applications running on-prem, in a private data centre, public clouds and SaaS solutions. Courtesy of the cloud, and the shift to remote workforce, the perimeter has disappeared.
Zero Trust shifts the focus from securing the perimeter to securing what needs greater protection and removes any implicit trust. Zero Trust mitigates insider threats and reduces the attack surface through the implementation of micro-segmentation and conditional access controls, limiting the lateral movement for a potential attacker. It is not just another buzzword and a fundamentally different approach to cyber security that business leaders need to embrace.
3. In terms of the general public hooked on technology, how does Zero Trust influence them?
For the general public hooked on technology, Zero Trust plays a significant but often unnoticed role in enhancing their digital safety and privacy. Behind the scenes, Zero trust measures work diligently to protect users’ online experiences, particularly during sensitive transactions such as online banking and shopping.
With Zero Trust measures in place, users can trust that their identity is verified and their financial information is secure, reducing the risk of fraud and identity theft.
4. How do business start their Zero Trust adoption journeys?
- Educate and Familiarise: Start by building an understanding of the different school of thoughts on Zero Trust and the core tenets. Educate key stakeholders about its core principles and focus on authentication and authorisation at every step, removing implicit trust, aligning security initiatives with business value, adopting assumed breach and thinking of Zero Trust as an incremental strategy.
- Assess Business Needs and Risks: Conduct a comprehensive evaluation of your oragnisations business needs, risk profile, risk appetite, current state of cyber capability maturity across key pillars of data, user, device, network and workloads and the overall capabilities to detect, respond and recover.
- Develop a Clear Strategy and Take an Incremental Approach: It’s important to measure the current and have a clear view of the desired future state in order to develop a Zero Trust strategy, roadmap and investment priorities. Outline objectives, key milestones, measure of success, and timelines for implementation. Take an incremental approach. Start with small steps, developing foundational capabilities to build confidence in new strategy.
Zero Trust is an aspirational state and rather than an all-or-nothing approach. By gradually shifting the dial from unreserved trust to Zero Trust and continuously enabling business, organisation can improve productivity and bolster their cyber security posture.
About Jay Hira
Jay Hira is a Founder and Executive Director of MakeCyberSimple and a leading voice in Cyber Security, advocating fresh approaches, greater inclusion and diversity, and a Zero Trust mindset across the industry.
With more than 17 years of experience at the forefront of the international cyber security industry, Jay has helped many businesses protect their valuable data, enhance cyber resilience, gain customer trust, and enable growth. Jay is dedicated to raising awareness about cyber security, as he firmly believes that everyone has the right to be safe online.
https://www.linkedin.com/in/jayhira/