Zero Trust 101

The COVID-19 pandemic has forced a rapid, widespread shift to remote work, necessitating a new approach to security. Many public sector agencies are responding by adopting a Zero Trust model.

What is Zero Trust? Why is it important? What’s required to implement it? Let’s explore.

What Is Zero Trust?

You might be familiar with the security principle of “deny all” or “least privilege” – the idea that a person, system, or process is given only the minimum access or privileges necessary to accomplish a task. This best practice reduces the risk that an attacker can access sensitive data or critical systems by compromising a low-level account, device, or application. Zero Trust elevates the “deny all/least privilege” principle and applies it to every aspect of information security – users, networks, devices, applications, and data.

At DLT, we’ve assigned each aspect of information security to one of seven Zero Trust categories: 

  1. Network Architecture, Monitoring, Access Control
  2. Automated Response
  3. Threat Intelligence
  4. Visibility
  5. Data Protection
  6. Application Security
  7. Identity and Access Management

Future posts will address each of these in-depth.

Why Zero Trust?

Innovation occurs because current methods are no longer effective. That’s certainly the case with Zero Trust. In the past, security often followed a perimeter-based approach. If we kept the bad guys outside of our networks, we felt secure and trusted everyone and everything inside the network. But if they manage to get inside the network (as they very often do) they can access everything.

With Zero Trust, trust based on network location or IP address is replaced with explicit, limited trust verified through identity, behavior, and context-based factors. This verification limits access for users, devices, and applications, and categorizes, organizes, and segments data according to sensitivity.

How Can You Implement Zero Trust?

Successfully transitioning to Zero Trust requires a fundamental shift in mindset. However, this doesn’t mean a “rip and replace” strategy. In fact, government agencies already have many of the tools and capabilities required for Zero Trust. 

Implementing Zero Trust may seem intimidating and overwhelming, but it actually simplifies and consolidates security efforts. By building incrementally, using security tools and solutions you already have, you can begin your journey toward a Zero Trust architecture.

In a 2020 interview with Security Intelligence Podcast, Chase Cunningham, principal analyst with Forrester’s security and risk team, at Forrester, says, “The easy place to start is actually around devices and users.” He suggests that agencies “pick really small problems that have relatively binary solutions and fix those first.” Cunningham recommends agencies start by addressing issues like poor passwords, multi-factor authentication, unpatched guest systems, and other basic security hygiene measures.

To start your journey to Zero Trust, DLT introduces our new Zero Trust Hub. On the Hub, you’ll find a framework, infographics, reference guides, blogs, articles, white papers, and most importantly, solutions to implement a Zero Trust architecture.