The cost of breaches and data theft is high for everyone, and the saying—“There are two types of organizations: those that have been hacked and those that don’t know it yet”—has never been truer. As America’s first cybersecurity czar, Richard Clarke, said all the way back in 2010, “It’s almost impossible to think of a company that hasn’t been hacked.”
Traditionally, companies have attempted to foil attackers and prevent breaches by strengthening their network’s perimeter defenses. However, the growing use of cloud applications—which effectively extends an organization’s network outside its perimeter—combined with the relative ease with which many perimeter defenses, even sophisticated ones, have been breached, means that organizations can no longer count on them. This reality is forcing organizations to re-think their approach to cybersecurity.
In today’s environment, the network can no longer be considered a safe zone. In fact, there is no safe zone. Every asset an organization possesses and every transaction it conducts must be secured as if it were a standalone item continually exposed to the full range of cyber threats. This understanding that perimeter protection alone is not sufficient increasingly leads to the security concept of Zero Trust. Building a secure Zero Trust Organization is based on a never-trust/always-verify approach to all entities and transactions in which multiple solutions work together to secure digital assets.
The distinguishing features of a Zero Trust Organization
The Zero Trust concept was first introduced by Forrester in 2010. From Sila’s extensive experience working with federal and commercial organizations in a range of industries, for Zero Trust to be effective security must be applied in an integrated manner at four levels: the user, the application, the data, and the network.
In a Zero Trust Organization:
- Access to services is authenticated, using strong and step-up authentication (in which more critical data is accessed through more rigorous authentication methods) where necessary;
- Applications and data, including unstructured data sources, are separately protected;
- Cloud security is accorded the same importance as on-premise network security;
- Advanced analytics and machine learning are widely used for better detection of threats and breaches.
Creating a Zero Trust Organization is a four-step process:
- Establish strong identity governance and authentication
- Establish centralized privileged access management
- Ensure application security and data governance (including unstructured data)
- Develop better network and cloud security
Read more about the four steps to creating a Zero Trust organization.
