The video technology hub | Pexip

The role of trust in cybersecurity principles is to have none

Written by Pexip | Oct 24, 2023 12:08:42 PM

Talking about "zero trust" as a business leader may be counterintuitive. After all, most of us are trying to establish trust. Gartner's zero-trust report, however, recommends having none of it.

 

Most business leaders will likely emphasize trust as a fundamental pillar of any organization. A trusting environment is widely praised for having more streamlined decision-making, higher adaptability, and lower stress levels. Some argue that trust promotes ethical behavior and binds the organization together. 
 
In this context, "zero trust" almost seems at odds with several positive traits in the workplace. However, according to a recent Gartner report, the zero-trust security paradigm is winning ground in cybersecurity and IT systems.

 

The consultancy draws on data from Verizon's 2022 Data Breach Investigations Report and a slew of legal recommendations and strategies from US authorities to argue that zero trust limits organizations' exposure to current cyber threats.

 

 

What is zero trust? 

 

Zero trust is not a product or technology but rather a paradigm or approach to security applied in IT systems. It is based on the principle of "never trust, always verify," regardless of whether a user or system is inside or outside the network perimeter.

 

Zero trust mandates that each access request is validated and authenticated before access is granted, which helps ensure a higher level of security across digital environments. 

 

 

Cybersecurity principles: from perimeter security to locking every door 

 

Conventional security systems focus on securing your organization's perimeter and letting everyone on the inside have more or less implicit access to anything they want.

 

Under a zero-trust paradigm, however, your perimeter is not the only thing that is heavily guarded—the same access rules and verifications apply to any actions you take on the inside. This means that access to subsystems or content anywhere else in the system is denied by default. 
 
Cumbersome and not user-friendly, you say?

 

If a zero-trust strategy is implemented haphazardly, moving from "implicit access" to "default deny" can impact efficiency and innovation.  

 

 

3 key recommendations for implementing zero trust principles

 

 

1. Start with a risk-based approach:

Gartner recommends selecting specific use cases where zero trust will be applied first, with a risk-based approach. Depending on your business, you may want to limit the exposure of your applications and services, restrict the lateral movement of malware, or take actions that might help isolate specific attacks. 

 

2. Audit your existing access management systems:

It is important to map and fully understand the current capabilities of your existing identity and access management technologies before investing in new zero-trust technologies. 

 

3. Plan how to address organizational resistance:

You need to plan to address organizational resistance. Nobody likes to have privileges removed, even if this includes access privileges to content that is not used by or relevant for the people of the teams they have been extended to. Moving to a zero-trust paradigm is something the entire organization needs to do together, and investing in creating solid understanding—both for the "why" and the "how"—is crucial. 

 

As with all changes that have an organization-wide impact, it is essential to emphasize manageability, consider the scope of deployment and the potential adverse impact on user experience. A zero trust strategy implementation does not need to happen overnight or at the same pace everywhere. But it does need to have a clear roadmap and be clearly communicated – again and again – to employees and leaders.

  

In a volatile, uncertain, complex, and ambiguous world where cyber resilience and robustness have been bumped up the priority list, successful zero trust deployments are likely to give organizations a competitive edge. Having a partner – a client, a vendor, an ecosystem contributor – that trusts no one with your organizational data, is a partner who will also help protect you.