Zero trust is not a product, but a security methodology based on defense-in-depth and least-privileged access concepts. Credit: iStock It seems as if everyone is playing “buzzword bingo” when it comes to zero trust and its implementation, and it starts with government guidance. The White House’s comments in January on the Office of Management and Budget’s (OMB’s) Federal Zero Trust Strategy for all federal agencies and departments were both pragmatic and aspirational. Their observation, citing the Log4j vulnerability as an example, sums it up nicely: “The zero-trust strategy will enable agencies to more rapidly detect, isolate, and respond to these types of threats.”For a zero-trust strategy to be successful, however, those implementing it must understand what it is and the basic principles it’s based on.Is zero trust new? In a one-on-one discussion on the topic of zero trust, at Black Hat, Trellix’s principal engineer and director of vulnerability research, Douglas McKee, noted how the reality is that “defense in depth” and “principle of least-privileged access” are the nuts and bolts behind the new buzzword, zero trust.CISOs working with business operations must collaborate and coordinate access to needed information so that colleagues may be successful in their piece of the overall mission. What they don’t need is unencumbered and continuous access to information when it is not necessary. This requires continuous and dynamic monitoring of needs across the corporate ecosystem. When individuals change roles their needs will adjust, so should their permitted access. When individuals depart, their access must be terminated. Easily said, yet seemingly so difficult to accomplish for so many entities. As Joe Payne CEO of Code42 has said, “Enable your personnel to do their job in a trusted manner with an umbrella surrounding them so that if they venture away from the processes and procedures—for example, load to web-based storage—they are corrected in the moment.”Zero trust can’t exist without least-privileged accessTherein lays the rub. If CISOs aren’t exercising the doctrine of least-privileged access, then there is no venturing out of bounds, as the access is both permitted and authorized. As an old counterintelligence silverback, I must observe: Detecting information theft by an individual who stays within their swim lane is a heavy lift. By that I mean, the individual follows all the corporate processes and procedures, accessing only that to which they have natural access, they may harvest with near impunity. Zero trust’s perception problemZero trust is more complex than a buzzword. Egress Vice President of Product Management Steve Malone observes, “Zero trust, unfortunately, has a bit of a perception problem: It is often mis-represented by vendors, which causes buyers to misunderstand it. The most important thing to understand about zero trust is that it is not a product! It’s not something you can buy from a single vendor. Zero trust is a security methodology, a framework of technologies and best practices that an organization needs to define and adopt across their IT environments over time. Think of it as healthy and ongoing paranoia!”Malone is right. Healthy and ongoing paranoia keeps everyone on their toes and focused on how information is accessed, moved and stored. This manner of thinking needs to be embraced from the C-suite to the individual contributor, as the security implementation may be supported by the CISO and their team of infosec gurus, the rubber hits the road in operations and production.Zero trust can’t be implemented with a single productMalone continues, “Some organizations have a difficult time implementing a zero-trust strategy. The biggest mistake I see is security teams misunderstanding what a true ‘zero trust approach’ means. Some organizations believe that zero trust can be achieved using individual security solutions here and there to provide a ‘quick fix’ to the problem. However, zero trust is about more than deploying individual solutions.”Malone concludes, “Don’t be fooled by the snazzy name. Zero trust is not just another buzzword nor a single product. It’s a critical security initiative.”The importance of people, processes and technology can’t be over-emphasized. They are core to the principles of least-privileged access and the strategic implementation of defense in depth. While the universal, textbook implementation of zero trust simply doesn’t exist, the principles of zero trust do, and as trust is key to the success of the strategy of zero trust. Without trust, we are, as the navy would say, sunk. Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe