Zero Trust maturity might be one of the least understood security buzzwords of our era. The term “Zero Trust” was originally coined over a decade ago and described the principle of not assigning digital trust to any entity, ever, for free. It represented a fundamental paradigm shift from the trust-happy early internet days to the threat-filled cyber landscape we now know.
Since then, companies have been striving to make all their systems Zero-Trust mature. As right they should. Attackers aren’t worthy of any more trust than they ever were, and we should not assign it to them. However, there are several ways to achieve Zero Trust, and the more organizations know about them, the better they can choose the path that’s right for them.
Zero Trust definition and tenets
The definition of Zero Trust can be found in many publications, but here’s the one provided by Forrester a few months ago:
“Zero Trust is an information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices. Zero Trust advocates these three core principles: All entities are untrusted by default; least privilege access is enforced; and comprehensive security monitoring is implemented.”
Even that definition, focused on the three core principles of Zero Trust, might read a bit too generic. What does Zero Trust maturity really mean for an organization? Having a shared understanding of the concept greatly helps when implementing it. The National Institute of Standards and Technology (NIST) has published NIST SP 800-207 Zero Trust Architecture, which describes the following seven tenets of zero trust.
- All data sources and computing services are considered resources
- All communication is secured regardless of network location
- Access to individual enterprise resources is granted on a per-session basis
- Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed
- The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture
The absence of a concrete solution-based approach to Zero Trust from these tenets is deliberate. Delivering a Zero Trust strategy can be done in a variety of ways. Every business needs to create a strategy and toolkit that fits with its particular requirements and preexisting infrastructure.
Stefan Lesaru, IDSA Zero Trust Technical Working Group Lead, explains that “Each organization must define its own concept based on an evaluation of the current network environment and any gaps that exist. They have to embrace the concept and culture and then move towards it. Zero Trust maturity requires a journey that may take several years to realize, and each organization’s journey and final implementation will look different.”
Ready to expand your Zero Trust maturity to secure file transfers? Watch this video to find out how Fortra’s GoAnywhere Secure File Transfer can help you do it.
The journey to Zero Trust maturity
Although NIST has articulated the seven tenets of Zero Trust and provided guidance on implementing a Zero Trust architecture, organizations often find themselves troubled about how to reach the ultimate destination. To this end, there are several key signposts that let you know you’re going in the right direction.
Confidence is key | It is important to consider that Zero Trust maturity is largely about building confidence. As John Kindervag, credited with coining the term, said: “Trust is a human emotion that refers to the level of confidence someone has in something, but it’s a vulnerability and an exploit in a digital system. So, for folks trying to move to a Zero Trust environment, step one is to eliminate the word ‘trust’ from your vocabulary as it relates to digital systems. Trust is binary; it is on or off. Think about using the term ‘confidence’ instead. Confidence can exist on a continuum. It’s an important distinction.”
A means and an end | Another important consideration is that Zero Trust is not about the destination, it is rather about the journey. “Think of zero trust as a way to operate the business in a secure way. It’s about how you actually practice security,” says Joseph Carson, CISO.
Do you have a ZT mindset? | Therefore, Zero Trust is about mindset. It is a shift away from traditional zoning principles and creating isolated islands within the ocean of your company, where everyone inside the island is to be trusted. It is also about orchestrating your efforts around protecting your data. The installed base of storage capacity is expected to increase from 6.7 zettabytes in 2020 to 16 zettabytes in 2025, reflecting the rapid growth of data. Due to this unrelenting annual expansion, many organizations now have data swamps rather than data lakes.
What is your status on Zero Trust?
Varying organizations have varying needs and different constraints when setting forth their journey to Zero Trust maturity. Culture, resources, leadership buy-in, talent gap, and employee retention are all factors that may foster or hinder the adoption of a Zero Trust strategy.
Most organizations have already embarked on this journey, but they lack the visibility of where they stand right now. You may be further ahead in establishing good Zero Trust foundations than you realize. Assessing your Zero Trust status is a good way to take a moment to reflect on what you have done so far and (re)align your efforts.
Make Fortra your partner in Zero Trust maturity. Our experts can help you determine where you stand against current maturity standards, know which areas need work, and understand how to get there without creating tool sprawl or SOC overwhelm. If your organization has been pursuing Zero Trust maturity on its own, now might be a good time to lean on the expertise of specialists who are relentlessly helping companies just like yours actively achieve their Zero Trust goals. Talk to a Fortra SME today.