Executive Commentary: Changes Both Compel and Restrict Zero Trust

Make no mistake: zero trust represents a cultural shift from today’s approach. It will change the way information is secured and the way users access it. Yet, it also must be applied in ways that do not prevent the secured data from being effectively exploited by its users.

The president has issued an executive order to implement the necessary security to stay ahead of our adversaries. But ultimately, the challenge of zero trust is less one of technology and architecture and more one of integration into the operation and workflows. The key to a successful zero-trust implementation is to secure the data that people need to use while simultaneously enabling them to access it.

Zero trust is vitally important because the way we do things in the digital world is changing. We are moving to the cloud and doing business differently to improve productivity and increase access to data in this digitized world, and users can no longer be tied to network-centric protections. This requires a datacentric approach rather than a network-centric approach to security control, and it will be in a much more dynamic environment entailing users, applications, data and devices.

And the need for effective security is growing in the face of more persistent and sophisticated threat actors around the world. We have arrived at the point where it is not if, but when, you’re going to be attacked. No one can afford to be complacent about security for their networks and data.

Instead of a perimeter-based network protection, systems need defense in depth to stay ahead of adversaries. Along with defense, security must minimize the impact of a cyber attack and increase resiliency after an attack.

Above all, zero trust is not only about a technical solution. It’s about taking technical capabilities—those that constitute zero-trust principles—and applying them to the network in a way that enhances and achieves the purpose of the organization supported by the network. Zero trust must serve the organization’s needs in ways that provide security but do not hinder the network from carrying out its users’ mission. In the same vein, a cyber workforce must be trained to understand, manage and use those principles effectively.

We’re in a race to apply zero trust against the rapidly evolving threat. The technology largely exists, but now we have to bring it to the cyber frontier—the edge. The development of the Internet of Things (IoT) is going to accelerate, especially with the advent of 5G connectivity, and this will bring hordes of devices that will need to be secured to the edge. The cloud will enable users to access information from almost anywhere, but that anywhere must be secured at the user’s point of entry. With information moving both ways between the cloud and the edge, the data itself must be secured and protected. User identity and device compliance will be critical for access from outside the network.

Operationalizing zero trust will be complicated, and most of the people who have limited familiarity with it do not fully grasp just how complicated it is. That lack of understanding is an impediment to successful zero trust implementation, as people must adapt to a new reality manifested as entirely new security procedures. Unfortunately, our adversaries fully understand the need for zero trust and are striving to exploit any openings that may exist in cybersecurity.

There is no single architecture for zero trust, and it need not be implemented all at once. But a key to successful zero trust will be to combine technical capabilities with workforce commitment and network operational procedures to support the required workflows.

There are going to be costs as we continue to operate and leverage cyberspace in all corners of society. Large investments are being made in the cyber realm, but those must be balanced against securing information. It may seem to be an unending cost, but that is the nature of cybersecurity against a rapidly evolving threat.

Ronald Reagan used to quote an old Russian proverb to Soviet leader Mikhail Gorbachev: “Trust, but verify.” Zero trust says, “Don’t trust anything, but verify everything.” Being able to secure network data effectively while still allowing authorized users the access to the data they need is the dichotomy that must be reconciled. That will be the operational aspect that ensures that all the goals and capabilities of zero trust are in harmonious balance.