From The White House to your business: The countdown is on to zero trust
The countdown is on. Following orders by The White House, civilian government agencies have a little over a year to establish and implement zero trust cybersecurity. The threat environment is evolving too quickly, the government notes, to rely on outdated defenses.
And the public sector is already heeding the cybersecurity call. Roughly two-thirds of American government agencies are confident of meeting the zero trust requirement by the deadline of September 2024.
The public sector is leading the way and the private sector would be foolish not to follow. Especially as cyber threats like ransomware grow nearly 40 percent year-over-year, businesses too should look to zero trust and its network scrutiny. Here’s how.
The hype surrounding zero trust
New digital contexts demand new cybersecurity postures. In the years before remote work, most businesses were sufficiently protected by perimeter-based security, an ethos that trusts everything within an organization's borders. But as threats evolve, and devices and workers connect from new locations, so must defenses.
Enter zero trust. This modern approach rigorously examines every entry attempt rather than simply fortifying perimeters like medieval castles. For example, continuous verification analyzes users and devices before granting access, bolstering protection with multifactor authentication and further limiting access based on the principle of least privilege. Real-time monitoring also provides the dual benefit of instant threat insights and swift risk mitigation.
For businesses dealing with human errors, personal devices, and third-party apps, zero trust goes a long way to closing network gaps. Breaches are less likely thanks to network segmentation and stringent authentication. Meanwhile, zero trust adapts to dynamic remote and hybrid setups by verifying identities, managing access, and overseeing ongoing activity. This multi-pronged approach makes it possible to provide secure resource access regardless of location or device.
Setting the network foundations
Secure network access is the holy grail for dispersed organizations today -- especially as the average data breach costs more than $4 million. Implementing zero trust, while an investment, is a fraction of this figure. Moreover, it not only protects your data but also your reputation.
The good news is that zero trust is achievable with the right approach. First, cybersecurity leaders must understand the scope and size of their business network. Begin with a thorough inventory of your data to identify categories, locations, and associated risks. A good tip is to categorize by sensitivity and importance. This sets the stage for tight access controls and data-centric security.
Likewise, before making any sweeping security changes, assess current practices. Look for strengths and weaknesses in your current approach to authentication, access management, network segmentation, data loss prevention, and endpoint security. Only then can you understand what is and isn’t working.
In the same way, be sure to bring your workforce along for the ride. Prioritize data security within your team by training employees on its value, zero trust concepts, and their roles. This is particularly important since remote workers are regularly connecting to the business network from different endpoints and connections. Additionally, research shows that human error is the cause of nine out of 10 data breaches.
Protecting your assets with zero trust tools
With a comprehensive grasp of your network, the next step is to implement the appropriate tools. Start with the adoption of identity and access management (IAM) solutions. IAM tools employ authentication methods such as single-sign-on or multi-factor authentication to verify identity. Together, these mechanisms establish a system that operates on a foundation of mistrust, permitting access only after rigorous identity confirmation.
Taken a step further, preference tools with public key infrastructure (PKI). This authentication approach employs cryptographic keys instead of usernames and passwords. Cryptographic keys are extremely resistant to brute force attacks, akin to long, random passwords that require no user memory. Better yet, in the case of connected devices, these keys guarantee confidential end-to-end communication.
Network segmentation is also critical in adopting zero trust. By employing technologies such as firewalls, virtual local area networks and software-defined networking, segmentation establishes distinct security zones. The idea is to mitigate lateral movement in the event of a breach. Additionally, cybersecurity leaders can consider micro-segmentation, which enforces precise access controls at the application level to further strengthen network security.
Finally, don’t look past the value of low-code tools. Almost all (99 percent) of federal agencies adopting zero trust in this survey cited the benefits of low-code automation platforms, including the ability to address all security automation requirements while relying less on coding skills. This matters today since cybersecurity teams are expected to do more with less. Thanks to a skills shortage, one-third (35 percent) of federal agencies believe they will never have a fully staffed security team with the proper skills. Keeping things low code, therefore, makes implementation easier and more efficient.
Stay one step ahead of hackers
Zero trust is here to stay. The White House’s decision underscores the need for adaptable defenses in the face of evolving threats. With government agencies already preparing, the private sector must review its cybersecurity to stay one step ahead of hackers. For a smooth zero trust transition, understand your network, engage your team and adopt the right tools.
After all: if zero trust is good enough for the government, it’s good enough for your business.
Image credit: Olivier26/depositphotos.com
Carsten Rhod Gregersen is Founder and CEO of Nabto.