Building a Business Case for Zero Trust Security
Building a Business Case for Zero Trust Security

Despite the many security analysts, vendors and thought leaders that point to Zero Trust as the next generation of cybersecurity, some members of the C-suite remain unaware of the concept and uncertain of how it will address their most pressing security concerns.

The challenge is to first educate company executives on the common denominator that exists within the vast majority of all breaches, raise awareness of the best method of addressing that common denominator, gain alignment across the C-suite and move forward with a plan of action.

 First, identify the actual problem

Protecting the organization against a growing number of threats has become increasingly difficult and expensive. Methods that were effective a few years back are, by today's standards, the equivalent of putting a Band-Aid on a compound fracture. While we probably all agree on that, we don't seem to agree on much else.

According to a research study conducted by Dow Jones Customer Intelligence and Centrify, nearly two-thirds of CEOs – who view themselves as the primary owners of their companies' cybersecurity strategies – cite malware as the most serious and pervasive threat against their organizations. But is it?

Only 35 percent of CIOs, CTOs and CISOs think so. Forty-two percent of these technical officers instead point to privileged user identity attacks and misused passwords as the primary threat. And they've got the numbers behind them: Verizon's 2017 Data Breach Investigation Report indicates that 81 percent of all breaches involve weak, default or stolen passwords. And 68 percent of executives whose organizations were breached believe their companies would have been spared by stronger privileged user identity controls.

All signs seem to point to identity as the primary attack vector, yet CEOs remain focused on malware. This may not seem like a problem, but it might just bethe problem.

Security budgets are stretched thin, so when security investment decisions are made with incomplete data and unwarranted confidence in the ability of anti-malware to protect organizations, breaches happen. The first step in building a business case is making sure everybody understands this. Until they do, priorities will continue to be in conflict, budgets will be misallocated, and companies will be ill-prepared to stop many breaches.

 Drive executive alignment behind Zero Trust

Only after you've built a consensus on the core problem can you agree on how to address it, which is where Zero Trust comes in.

The Zero Trust Security model assumes that untrusted actors already exist both inside and outside the network. Trust must therefore be entirely eliminated from the equation. Zero Trust replaces the old “trust but verify” paradigm, with the new “never trust, always verify” paradigm. If it sounds paranoid, ask yourself this question: Would I rather be called paranoid, or be called to testify in front of a panel of U.S. Senators?

When everything -- users, endpoints, networks and resources -- is untrusted, everything must be verified. This isn't as difficult as it may sound. Zero Trust Security can be achieved with a handful of proven security technologies including single sign-on, multi-factor authentication, enterprise mobility management, privilege management and behavior analytics. When integrated in a next-generation access platform, these technologies can identify every user, validate every device, and intelligently limit access and privilege inside the infrastructure.

 The business case for Zero Trust

You're probably already using at least some of these technologies. And for those you're not, you need to know this: they're easier than ever to implement and manage. They leverage machine learning to make them smarter and able to adapt without negatively impacting the user experience. Most importantly, they will substantially reduce risk and may help you to achieve compliance to a number of regulations by protecting the primary attack vector—user credentials.

To be fair, malware does play a role in many breaches and anti-malware is an important component of any security strategy. But it's often through compromised identities that the malware enters the organization in the first place, and through the compromised identities of privileged users that hackers gain access to the most critical data.

If executive management remains unconvinced, you can always fall back on this: back in 2015, Google began altering its network security policies to remove trust from the network, securely identify the device and the user, and apply dynamic access controls, least privilege and context aware policies. 

Today, many security analysts find Google's approach the most compelling reference architecture to date. 

Don't believe me? Google it.