Any device or network architecture can be breached, that’s true. So we shouldn’t trust any user or system. The simple but trenchant assumption is feeding ‘zero trust’, a new hype concept in cybersecurity and a ‘very fashionable term’ in the tech world as the UK’s National Cyber Security Centre defined it.
Widespread digitalization, new hybrid workforces and collaboration models, and the growing sophistication of cybercrime created the conditions for a more restrictive vision of data and infrastructure protection. While the EU is shaping its Cybersecurity Strategy, the US is already approaching zero trust after President Biden’s “Executive Order on Improving the Nation’s Cybersecurity.” Released last May, the order basically pushes federal agencies to implement zero trust architectures and prepare for future enhancements. Updated guidance was released last week and agencies are given specific security goals to be achieved by September 2024.
If asked to summarize what zero trust is about, we might say “Never trust, always verify”. The idea is to remove inherent trust from the network, and don’t trust devices by default just because there are inside the perimeter of a firewall or VPN. A zero-trust architecture should verify everyone and everything, using granular techniques to permit only necessary network access and transactions.
The migration to this network design could be expensive and somehow disruptive for most organizations, and it could require years to be completed due to the extent of changes to be implemented.
Zero trust supporters highlight this strict model allows the organization to minimize cyberattack risks, define stronger authentication and authorization policies, reduce the network overhead, and react more quickly in case something gets compromised.
However, we need to remember 100 percent cybersecurity is an impossible goal, unless we fully give up on innovation and digital transformation. So zero trust architectures or solutions can’t be taken as the ‘silver bullet’ answer to solve everything.
Some analysts recommend a pragmatic approach, starting with an accurate assessment of actual vulnerabilities. Which network elements actually require zero trust protection? Which data, transactions, or applications need to be locked down with the utmost level of security? This kind of analysis could lead to the decision to shift to zero trust only for the most critical assets and acting more proactive and systematic cybersecurity measures without adding unnecessary complexity.