The phrase “zero trust” has been talked about in cybersecurity circles for quite a few years now.
During that time, it has almost lost its meaning as a useful tool for combatting cyber threats.
As a result, you’d be forgiven for your eyes glossing over whenever the term gets bandied about in marketing emails, ads and at events.
Despite all that, the idea of a zero trust cybersecurity strategy can play a major role in organizations combatting cyber threats.
Here’s how you can cut through the marketing jargon and use zero trust to help your organization.
You can’t buy zero trust
Almost every cybersecurity solution that’s on the market these days, in one way or another, claims to be selling a one-size fits all approach to implementing zero-trust at your organization.
Anyone claiming to offer a cybersecurity solution that will singlehandedly implement zero trust on your behalf is not to be trusted.
“Zero trust is a way of thinking about your security, a way of approaching your security,” says Jon Ferguson, CIRA’s General Manager of Cybersecurity and DNS Services. “There isn’t a zero trust software that you can go and buy—it’s not a switch that you can flip. Anyone who tells you that it is, is going to lead you down a path that is really dangerous.”
Sure, there are certain tactics that are the hallmarks of zero trust: segmentation, multi-factor authentication, device access control.
But don’t think that these, alone, will be at the core of implementing a zero trust solution.
Zero trust is a strategy, not a technology
A zero trust cybersecurity strategy is exactly that—a strategy.
Does technology play an indispensable role in implementing a zero trust strategy? Of course.
But to think that you can achieve a zero-trust framework simply by implementing a bunch of new technologies willy nilly is folly.
Instead, you should be focusing on the core of what zero trust means.
Zero trust, in essence, means that no device or user is to be inherently trusted—in contrast to non-zero trust strategies that frequently prevailed in the past, when anything that was able to access a network was given almost unlimited access.
Treat zero trust as a bunch of tactics stacked on top of one another
Think one tactic is going to be enough to get you to zero trust? Think again.
Zero trust is only possible when you take a number of tactics and stack them on top of one another.
“The concept is your network should not be like a candy bar—crunchy outside, soft, gooey interior. It should be hardened throughout,” says Steve Winterfield, Senior Director, Security Technology and Strategy, Akamai
Another way of thinking about it is like Swiss cheese slices: individually, they each have holes in them. But if you stack enough of them on top of one another you won’t have any gaps.
Assume you already have a breach
This is one of the reasons why zero trust became popular as a strategy—cyber attacks became so prominent and regular that organizations were better off assuming that devices and networks had already been infected.
That means that you can’t operate as though you are protecting against a cyber threat to come (though you should probably plan for that as well).
It means you should be operating as though someone is already in the door.
These days, it can be easy for eyes to gloss over any time the phrase “zero trust” gets thrown around.
But that doesn’t mean zero trust—provided you don’t treat it as a “set it and forget it” approach to cybersecurity—can’t play a big role in combatting cyber threats.
Are you looking to increase your organization’s threat protection? CIRA DNS Firewall uses Akamai’s threat feed to keep Canadian organizations protected from cyber threats.
Learn more here.