What Is Zero-Trust and Are You Prepared to Implement It?
Zero-Trust is the reigning popular governance model for implementing security on networks. While older security policies assigned users access based on a set of rights, which often conferred access to numerous systems, Zero-Trust provides the least possible access necessary to perform activities on the network. A Zero-Trust network also continuously monitors devices and resources across the network, tracking users, activity, and changes—all designed to help identify and stop potential threats.
Defining Zero-Trust for People
At our core, humans are trusting creatures. Whether we’ve just met someone at the local coffee shop or we’re doing important, highly sensitive work online, we tend to assume the best rather than anticipate the worst. The very thought of doubting motivations and intent runs counter to everything we hope to build in our relationships, both immediately and over time.
Zero-Trust fights this human propensity—and does so for the good of your network. The National Institute of Standards and Technology (NIST) recently published a paper defining Zero-Trust as “an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”
To better understand what this means, think of Ronald Reagan’s famous “trust but verify” quote during the Cold War. In many ways, Zero-Trust takes the polar opposite approach: verify before trusting anyone or anything along your network. Based on such a tenet, it’s obvious that authentication and authorization are foundational to any Zero-Trust approach. Before establishing access, both user and device must gain proper clearance.
The Evolution of Zero-Trust
As with nearly everything else in your world, cybersecurity has changed over time. Remember when the worst threat Hollywood could imagine involving cybersecurity was someone dialing into a remote server over a 9.6 baud modem and stealing a few secrets? Hacking is still a threat—don’t get me wrong—but it’s so much more profitable now to engineer a successful phishing scheme and then lock up someone’s data and demand a fortune in Bitcoin as ransom.
So what’s changed? Well, there are three specific realities behind this evolution to a Zero-Trust model:
Rapid technology advances. Breakthroughs continue at an exponential rate, creating the need to “keep up.” Whether it’s cloud computing or the next big thing on the horizon, network security is more reliant than ever on proper verification always preceding trust at any level.
Remote access points. Long before COVID-19 accelerated the trend, individuals were accessing networks from a variety of locations and devices. This created the need to move defenses away from physical locations exclusively and to insert them throughout the network, keeping tabs on everything from APIs to access points.
Resource-focused protection. Since the physical location alone no longer drives security, attention shifted to protecting individual elements of the network, such as users, assets, and workflows. Today, something as seemingly benign as an unusual uptick in CPU utilization can red-flag a potential security issue.
If you think back to how far we’ve come—when firewalls and antivirus were the workhorses of cybersecurity—to where we are now, it’s a sobering realization knowing that even Zero-Trust will have to evolve into something new down the road.
Zero-Trust Comes Down to Maximum Visibility
At the heart of any Zero-Trust model is visibility and transparency. The problem with yesterday’s cybersecurity is that it was developed to protect a finite realm, typically involving the corporate network and some remote devices.
Today, the distance between remote end-devices and the network core requires better visibility into what and who is on our network, and what they are doing at all times.
Remember, verify, then trust, and now add, verify again. That means we verify when they enter the network, we verify when they access items on the network, and we verify when they change anything on the network, even themselves.
This level of visibility requires a combination of old-school security monitoring combined with today’s advances in IoT-capable devices, workload monitoring and governance, and a slew of advanced AI and machine-learning based systems all working together to collect data, track, and report in real-time the status of everything happening on your network. From is the identity of those in your network, the knowledge of whether software, middleware and APIs have been updated to the latest versions, the status of your existing systems, and the comparison of baselines against real-time, nothing is taken for granted in a Zero-Trust environment.
If you’re reading this and realizing you don’t already have the tools in place for this kind of insight, well, you’re not alone.
Implementing Zero-Trust in Your Systems
In 2019, Cybersecurity Insiders reported that only 15 percent of organizations had completed a transition to a Zero-Trust security model.
Interestingly, the question of how to implement a Zero-Trust model requires enforcing the same rules on the security vendors offering solutions.
Verify their credentials, then trust that they can do what they promise.
Epoch Concepts work with dozens of cybersecurity solution providers, each offering its own flavor of Zero-Trust. Most map back to guidance released by NIST and other government-focused agencies. If you’re concerned about the state of your readiness, we invite you to check out some of our partner resources specifically focused on Zero-Trust.
- NIST: Zero Trust Architecture paper
- McAfee: Everyone knows McAfee’s history of protecting endpoint devices, but they are also a giant in the field of enterprise cybersecurity. Check out their paper, “Threat Visibility and the Zero Trust Virtual Data Center.”
- AppGate: In addition to offering extremely strong cybersecurity protections, you can also get three robust pieces of content from AppGate on their site:
- AppGate’s eBook titled, “Zero Trust network Access: Everything You Need to Know”
Want to learn more about Zero Trust security? If you're in the Colorado Springs area, be sure and register TODAY to join Epoch Concepts, McAfee, and AppGate for our upcoming workshop, "Zero Trust-Cloud Security Workshop – AppGate (SDP) & McAfee Unified Cloud Edge (SASE)"
When: June 24th (Thursday)
Location: Phantom Canyon Brewing Company
2 East Pikes Peak Ave.
Colorado Springs, CO 80903
Space is extremely limited. Reserve your spot today!
Ready to get started now? We can help you identify your organization’s unique security needs then match you with the technology partner that’s right for your unique needs. Once identified, we work with them to ensure you get the best pricing and terms. We can even help implement the solution ensuring that you have a trusted partner who understands your systems and can help keep your organization secure and your systems as your needs grow and change.