cso spotlight: zero trust

5 steps to create a zero trust security model

A clear plan and willingness to change are critical to successfully moving to a zero trust environment.

security trust

The zero trust approach to enterprise security proposed by analyst firm Forrester Research nearly a decade ago can be challenging to implement. You need a clear understanding of the changes it entails and the impact it can have on the user experience.

The model emphasizes robust user authentication and device validation over network and endpoint security as key to protecting applications and data against new and emergent threats. Instead of having enforcement mechanisms at the network perimeter, zero trust focuses on moving them as close as possible to the actual application or surface that needs to be protected. Users and devices are not automatically trusted simply because they happen to be behind the enterprise perimeter or on a trusted network.

"Zero trust is a thought process and approach about how to create your organization's cyber security posture," says Steve Dyer, CTO of Respond Software. "Conceptually, it boils down to 'don't trust the network whether inside or outside the perimeter'."

Implementing the model requires thoughtful planning and recognition that zero trust is a journey and not a destination. "Vendors are jumping all over zero trust as the next big thing they can hang their existing platforms on," Dyer notes.

In reality a lot of what's involved in implementing the model is boring, unglamorous work to create and maintain policy around data access and authorizing access to applications that read and write that data. "There are no silver bullets. The heavy lift will be on the internal teams since they understand the business drivers and core assets," says Dyer.

Here are some of the key steps that Dyer and others believe are necessary for organizations to take when starting on the road to zero trust.

To continue reading this article register now

7 hot cybersecurity trends (and 2 going cold)