What Is Zero Trust? 3 Things It Is (and 1 It Isn’t)
Zero Trust is all the rage these days! It is an old concept, but still often misunderstood by many business and IT professionals alike. Are your ” zero trust ” policies still effective with the expanding world of cloud-based software, mobile devices, and remote workers? With new phishing, ransomware, and email compromises happening every day, we need to be prepared and soon. With the expanding market of mobile devices, cloud services, and remote work happening, zero trust has become a lot harder to accomplish. But what even IS Zero Trust?
Zero Trust Is About Protecting Your Data
First and foremost, the reason for Zero Trust is to give a framework for IT professionals to use to protect your data. Attackers will exploit any vulnerability they can find. Zero Trust applies anywhere there is data that needs to be kept private. Zero Trust applies from the day a device is powered on and logged in to the day it is finally destroyed and recycled. It applies in networks, software, and even storage cabinets if there’s private data (or data bearing devices) in there.
That’s a pretty wide net. Which is why it can be a little confusing.
Zero Trust Is a Philosophy
Put simply, that philosophy is: “never trust, always verify.” The goal of zero trust is to change the “inside good, outside bad” way of thinking. Hackers aren’t standing still, so why should you? When a PC trusts everything inside of the network, everything becomes vulnerable. Firewalls and anti-virus help stop the outside world from coming in, but it does not protect an attack from the inside.
Picture this: You’re on a tour at the White House. And now you’ve connected to the guest WIFI on the White House grounds. In an environment not implementing zero trust, you would be able to blindly access all of the information the President of the United States has. But you’re trustworthy, right? Of course YOU can have access to those secrets. What about the guy next to you? Or the person in the suspicious van just outside the gate but still within WIFI range. Should THEY have access to everything just because they got on the WIFI network? Of course not, and neither should you. Does that mean you shouldn’t be allowed to go on the tour or even stream your tour experience on Instagram? Also no.
Zero Trust exists to enable both things to happen: you can do what you need to do, but nothing more. There is no single point of defense. In order to gain access to something you
Zero Trust Is Not an App or Device
If you have ever seen a product advertised that claims to be the answer to all of your security worries, they are lying. While there are many solutions out there to help you and your organization implement a Zero Trust philosophy, there is no single silver bullet to solve all your worries. Instead, it is a discipline. It is the courage to take a stand to prioritize security over convenience. Some examples of Zero Trust products and implementations include:
- Well-implemented Single Sign On with multi-factor authentication (SSO and 2FA)
- Role Based and Attribute Based Access Control systems (RBAC, ABAC)
- Securing and destroying data when the data bearing device has reached end-of-life (Tear-A-Byte Process)
- Any system that requires a user to verify their access to gain access to information
Zero Trust Is Here To Stay
Networks are more complex. Hackers are more sophisticated. It is up to the designers of systems, processes, and networks to ensure that access is only granted on a need-to-know basis. Long gone are the days of perimeter security being enough. The majority of breaches are from internal employees or vendors. Often, the sources of these breaches are unwitting accomplices. Zero Trust design philosophies help mitigate the risks of a highly connected world.
Zero Trust applies just as much to data at-rest as it does to data-in-motion. When your data bearing devices are at their end of life, how do you currently ensure those devices aren’t walking out the door. Unless you are taking steps to Track, Contain, Destroy, and Verify your end of life data bearing devices, how can you answer the question:
Do you know where your hard drives go at night?
Matthew Bradford has been in the IT industry for over 25 years serving in Fortune 500 companies and smaller enterprises alike. He is currently the VP of Architecture and Development for TechR2, the premiere IT Data End of Life Management Company.