Aladdin: Do you trust me?
The king’s men have just discovered the runaway princess’ hiding place. At which point, Jasmine is faced with a tough decision: should she accept her fate or take a leap of faith?
The princess navigates the world with a “trust nothing; verify everything” approach. But intuition tells her “a whole new world” awaits with the handsome Aladdin.
Unfortunately for IT admins, trusting unknown network users and devices doesn’t end with singing songs on magic carpet rides. According to the 2021 Cost of a Data Breach Report, hackers cost companies $4.24 million per incident on average. That’s the highest cost in the 17-year history of IBM’s annual report.
An increasing number of organizations are adopting Zero Trust security models in response, including the U.S. federal government. But misunderstandings within the IT community remain.
In this article, we’ll dive into what Zero Trust is and isn’t. We’ll also answer the question: Is Zero Trust a long-term security solution?
What Is Zero Trust (Beyond the Buzz)?
Confusion around Zero Trust stems from buzzword saturation.
For startups, it’s words like disruptive, democratize, and agile. In the IT industry, we have net neutrality, datafication, and hyper-automation.
Regardless of the industry, we’ve all heard jargon thrown around without it being clearly defined. Understandably, the term Zero Trust is no different. Here’s what it actually means:
Zero Trust is a security framework that combines factors like microsegmentation, identity and access management tools, and the principle of least privilege (PoLP) with the philosophy of our (my) favorite princess: trust nothing; verify everything.
Zero Trust security is not any singular tool, technology, or product. Rather, it’s an approach to security that involves using a combination of tools to employ specific strategies designed to minimize risk.
This realization, understandably, comes as a disappointment to any IT admin seeking a magic bullet. Afterall, SaaS vendors sold them the dream that Zero Trust is the latest and greatest security tool they must have in their arsenal!
Rushing to purchase singular tools — without first outlining overarching strategies — left a sour taste in the mouths of some IT managers. Many small-to-medium-sized enterprises (SMEs) have wasted budgets on ad hoc purchases that weren’t compatible with existing IT systems.
It’s why cybersecurity industry leader Forrester recommends taking an incremental approach when moving away from perimeter-based infrastructures. Put simply, switching to Zero Trust is worthwhile, but only when completed in small steps.
Learn more in Forrester Research: A Practical Guide To A Zero Trust Implementation.
The 3 Principles of Zero Trust
As mentioned above, Zero Trust isn’t a security tool, but a security framework. Regardless of the organizational infrastructure in place, true Zero Trust programs include the following:
- Principle of least privilege (PoLP): IT admins only give end users access to what they need to complete assigned tasks. The functions of the user — not the identity — determine the permissions settings they have. In addition, end users shouldn’t be able to change network settings. PoLP reduces the risk of data breaches by limiting the breadth of what a hacker might access once inside a compromised user account.
- Authentication at every access transaction: Zero Trust requires authentication at every access transaction. This means users must confirm their identities as they weave through system and network layers. The policy reduces lateral movement in the event of a security breach so that cybercriminals can’t access the entire network even if they gain access to a specific resource.
- Secure authentication: Standard passwords are no longer a reliable security measure. A whopping 61% of cyber breaches in 2021 involved credentials. Cybercriminals have mastered how to infiltrate even the most secure of passwords. Case in point: it takes a master hacker about 12 minutes to crack an 8-character NT-hash password. As a result, Zero Trust advocates for more secure authentication methods, such as passwordless authentication and multi-factor authentication (MFA).
Again, it’s worth emphasizing that Zero Trust is a continuous process and strategy, not a one-off purchase and installation. Despite its “buzzwordy” status, Zero Trust is becoming a vital component of securing our modern remote workforce.
Benefits of Zero Trust include improved network security, better usability, better network admin experience, and the ability to adapt to future changes in network infrastructure. But to enjoy these benefits, organizations must adopt a structured approach to Zero Trust implementation.
Where does all of this leave on-prem networks and legacy systems? Let’s take a quick trip in our time machine.
The Evolution of Perimeter-Based Security
Cybersecurity has always been a concern since the network’s inception. But it wasn’t until Cornell University graduate student Robert Tappan Morris developed the first automated worm in 1988 that industry leaders collectively said, “Oh, sh#t.”
The world’s first major attack on the internet exposed the vulnerabilities of networked computers overnight. This discovery motivated government departments, militaries, and higher learning institutions to tighten existing security measures soon after.
Their efforts, ultimately, led to the creation of standard antivirus and firewall programs. While on-prem solutions were better than nothing, one challenge remained: whenever a particularly savvy cybercriminal hacked their way past perimeter controls, they often had access to everything on the corporate network!
Meanwhileʼ, the general public didn’t experience an uptick in heavy internet users until the late ꞌ90s. At which point, SMEs began building on-premise networks with tougher security controls.
But organizations with, say, less than 2,000 members have always felt the strain of putting resources toward VPNs, web/mail proxies, intrusion prevention systems (IPSs), and more. The on-prem strategy worked well enough until remote work became the “new normal” in recent years.
Zero Trust: A Long-Term Security Solution
In 2020, much of the global workforce shifted to remote work as governments enforced COVID-19 restrictions.
According to the Pew Research Center, 59% of U.S. workers feel their job can be done remotely. The movement, ultimately, accelerated many new (and existing) challenges, like the need for bring-your-own-device (BYOD) policies, managed access to a growing list of cloud-based applications, and remote troubleshooting and support. And with it, the need to find better ways to secure their networks beyond on-premise security measures.
Implementing a Zero Trust security framework is the long-term solution to the new “perimiterless” environment. IT admins can implement Zero Trust elements such as mobile device management (MDM), multi-factor authentication, and identity management quickly and on budget.
Such small steps forward are essential as a full-fledged Zero Trust program takes anywhere from 2 to 3 years to launch. Prioritize the steps that make the most sense for your organization, and start with the specific network resources workers rely on the most.
Consolidate Zero Trust Initiatives with JumpCloud
Zero Trust is the long-term security solution for combating modern data breach threats. Has your organizational leadership been under the impression that Zero Trust is complex, expensive, and time-consuming? While switching to ZT can be these things, it doesn’t have to be.
Strategize execution based on your unique organizational needs, existing/future infrastructure compatibility, and available resources. One of the best ways to streamline the journey is to consolidate your efforts whenever possible.
With JumpCloud, organizations gain access to a powerful tool that combines several Zero Trust elements — patch management, mobile device management, identity and access management, single sign-on (SSO), compliance reporting, and more — under one pane of glass.
Interested in Zero Trust for compliance purposes?
Our IT Compliance Quickstart Guide will walk you through how to prepare for an audit and how to boost your IT security baseline.