Shifting your business to zero trust is a vital cybersecurity milestone. But unless you have a clear picture of your architecture, it's an empty gesture.
If you've been paying any attention to the news, then you already know that the pandemic...hasn't exactly been great from a cybersecurity perspective. We're going to avoid going into too many details, but suffice it to say that the forcible kick COVID-19 gave to digital transformation has created its fair share of security issues. Although perhaps it would be more accurate to say that it exacerbated the problems that were already there.
To be blunt, most of these incidents are the direct result of businesses not treating cybersecurity with its due care. Either they think that their security budget can be a secondary consideration after their bottom line, or they're simply throwing money at the problem in hopes that it will go away. That's assuming, of course, that they're thinking about it at all.
The thing that's missing for many of these businesses — the thing that even self-proclaimed security-conscious organizations get wrong — is that cybersecurity isn't just about access control, threat detection, and network monitoring. Processes and policies are every bit as important as the technology that supports them, perhaps more so. And there's one particularly compelling policy that's been gaining ground over the past decade.
The idea behind zero trust is relatively straightforward. Simply put, there is no such thing as a trustworthy device or user. Anyone trying to connect to corporate systems must undergo a verification process no matter who they are.
And if they fail that verification, well, too bad. The network doesn't know who they are, so they aren't given access. If you think that sounds inconvenient, it's not — a zero trust framework can easily be combined with single-sign-on to ensure that it's not too disruptive to workflows.
Sounds compelling, doesn't it?
Before you rush out and start planning an architecture, culture, and policy shift, however, there's one thing that must be accounted for - your assets. You cannot implement an effective zero-trust strategy without understanding them thoroughly.
Per cybersecurity firm Axonius, there are a few reasons for this.
- Distinguishing between managed and unmanaged devices.
- Determining what devices and endpoints lack proper security.
- Knowing the key cybersecurity stakeholders in your business.
- Charting out how you can connect your existing IT and security solutions to the new framework.
- Understanding where critical assets are stored, how they're stored, and who has access to them.
- Having a complete picture of your business's ecosystem, including both internal computing infrastructure and distributed staff.
- Knowing basic usage patterns, habits, and responsibilities of your business's people.
At the end of the day, zero trust is like any security policy or framework. You can't leverage it half-cocked. You need to deliberately and carefully plan out every facet of its deployment, including and especially how it fits into your existing infrastructure.