Zero Trust Security
Get your free assessment today!
Network-based security is no longer adequate.
Apps have moved to the cloud and users are accessing them from anywhere, at any time using multiple devices. Despite that, the way enterprises secure access to applications has remained largely unchanged — they are still dependent on the corporate network perimeter and untrusted external networks.
The new reality, however, is that people are the perimeter.
The best way to architect and implement a new security framework is start with “no trust but verify” model. In other words, every service request made by any user or machine is properly authenticated, authorized, encrypted and tracked end to end.
Many cybersecurity frameworks have emerged over the last decade. Zero Trust by Forrester beginning 2009. In 2014, Google published BeyondCorp, which has served as the foundation for the modern Zero Trust security best practices. In 2018, Forrester introduced Zero Trust eXtended (ZTX) Ecosystem. In 2017, Gartner published Continuous Visibility and Assessment (CARTA). And, on February 2020, NIST published the latest draft of guidelines NIST 800-207 Zero Trust Architecture. Many cybersecurity vendors have been adding capabilities to support these frameworks.
Zero Trust Maturity
Based on our experience working closely with Fortune 1000 and fast-growing companies, we have discovered these companies are at four distinct levels of Zero Trust maturity:
- Stage 0 – Fragmented Security,
- Stage 1 – Foundational Security,
- Stage 2 – Advanced Security, and
- Stage 3 – Unified Dynamic Risk-Based Security.
These levels are derived from factors such as Zero Trust vision, strategy, roadmap and capabilities.
Best Practices for rolling out Zero Trust Security
The goal: The main goal of a Zero Trust security model is to prevent data breaches.
- It’s a new version of corporate identity.
- Authentication and Authorization as a Service must be based on many dynamic factors.
- Use a centralized access control model for more visibility into user activity.
- Enforce security measures that promote a better user security posture.
- Remove trust from your network.
- Enforce least privilege access.
- Every company is becoming a technology company to compete effectively.
- Take inventory of all users’ devices and credentials.
- Prepare and understand your current security architecture.
- Perform data analyses.
- Understand and document behavioral patterns.
- Lay the foundation for your policy framework.