Zero Trust: Cutting Through the Spin
CISOs are increasingly implementing zero-trust initiatives as they modernize their security architecture – but how much of zero trust is marketing spin?
The term ‘zero trust’ was coined by Forrester Research back in 2010. Defined by the maxim ‘never trust, always verify’, zero trust has become especially relevant in the age of digital transformation as organizations move away from a ‘walled garden’ approach to network security.
However, the term has also become an eye-roll-inducing marketing buzzword for many CISOs – used to sell a raft of solutions all under the banner of zero trust.
In this episode of the Business of InfoSec Podcast, we sat down with Mark Osborne, CISO at financial services firm JaJa Finance, at the recent CISO London conference to cut through the spin and discover the essential core of zero trust.
“Quite often in the security industry, we are victims of a marketing machine. They generate demand for things that we didn't know we needed, and it turns out eventually that we don't need them,” Osborne quips. “The zero-trust network is a little bit different.”
Why Zero Trust?
Regardless of the marketing spin around the term, zero-trust principles are increasingly relevant to CISOs due to the dispersed nature of modern networks and the accelerating use of cloud-enabled technologies.
“Many businesses are making more money from their digital channels, so there's more focus on protecting that,” Osborne observes. “If you have good authentication and good trust policies, you'll be fine. And people know that – that's why they're buying a zero trust.”
He continues: “The COVID situation made it clear that many of the larger traditional organizations, were unprepared for a mobile workforce. They relied on the internal network and therefore suffered because their devices and their workforces weren't secure outside the perimeter.”
However, Osborne is quick to point out that zero-trust solutions are not a panacea. If there’s a problem with your people or processes, technology won’t fix it.
“I must emphasize that nothing is for free. Let's break this paradigm where we just go out and buy products and then buy another one next year in the hope that it fixes it.” Osborne says. “It's people, processes, then technology.”
Cutting to the Core of Zero Trust
Tools to do things like inline data inspection, app performance monitoring, and security and network segmentation are commonly included under the banner of zero trust architecture.
However, Osborne cautions against getting lost in the weeds. Zero trust at its core is all about authentication and authorization.
“I don't think there is much more than authentication and authorization. Those are absolutely key to security,” Osborne says. “These days, everyone needs two-factor or multifactor authentication. If you buy the right product, you will be able to secure all your cloud services and all your internal services with either one or two zero trust products.”
However, some essential tools should come under the banner of zero trust, Osborne thinks. One of these is privileged identity management.
“Something that I find amazingly important is privileged identity management,” Osborne concludes. “It seems such a shame to buy a product that manages identities when it can't manage administrative identities. So, look for something there.”
Zero trust is more relevant than ever. Dispersed networks and cloud adoption have made zero trust an essential part of modern network security.
Focus on core principles. While zero trust has many adjacent technologies, focus on the core aspects of authentication and authorization.
Don’t look for a quick fix. If you had a problem with your people or processes before implementing zero trust you will likely still have that problem after implementing zero trust.