Zero-trust represents the biggest shift the industry has undergone in recent memory. Gartner anticipates spending on zero-trust to more than double between now and 2025 to $1.674 billion. The U.S. government has also made it mandatory for all federal agencies to adopt zero-trust by 2024. The National Institute of Standards and Technology (NIST) has also been told to build a playbook for the private sector.

Zero-trust is a simple concept: trust nothing, verify everything. While zero-trust represents an entirely new philosophy for the industry, security teams have found deploying it highly complex and there are no easy off-the-shelf solutions. Previously, organizations built a defensive perimeter around their network, verified anything passing through, and then granted access, privileges, and implicit trust to anything happening inside the network. The industry needs to reconfigure all existing tools to incorporate this new security architecture.

Traditional security perimeters such as inside-and-outside, trusted-and-untrusted are no longer sufficient to repel today’s increasingly professional and well-organized cybercriminals. Rather than assuming that the organization’s defences will repel all attacks, zero-trust acknowledges that attacks will always make it inside the defensive perimeter. To install truly modern cybersecurity, organizations must augment their traditional security perimeters and gateways. We must replace them with systems that require authentication before granting any level of access followed up by careful access control even for authenticated users. As attacks can hide anywhere, masquerading as anything, security teams to strictly guard and sparsely grant access.

The pluses for zero-trust are easy to add up. According to IBM, zero-trust lowers the cost of data breaches by 43%. Illumio also reports that zero-trust segmentation saves nearly 40 hours per week and prevents an average of five cyber disasters a year in a typical organization.

Zero-trust depends on continuous verification; we never assume identity and never grant automatic access. Verification must take place before access to anything (ex., apps, data, networks) gets granted to anyone. Assuming that some attacks will initially succeed, breach mitigation becomes a critical pillar of cybersecurity. Measures like network segmentation and least-privilege access prevent attacks from spreading to limit the damage to one area. 

Zero-trust lets organisations detect real and present threats when they emerge, and it also uses threat intelligence to warn of incoming and planned attacks in real time. It assumes that some attacks are so cleverly engineered that they will inevitably get through forces organizations and their advisors to commit more resource to actionable threat intelligence. However, few medium-sized organizations have the in-house resources needed to monitor incoming and future threats. Without this automated threat intelligence, supported by a global team of analysts, companies leave themselves increasingly vulnerable to an array of threats, such as well organized and professional ransomware attacks.

Small and medium-sized organizations need to make the shift to zero-trust, as existing cybersecurity solutions, developed with larger companies in mind, have proven a poor fit. Recent research found that companies with small security teams continue to face a number of unique challenges that place these organizations at greater risk than larger enterprises; 94% say they have barriers in maintaining their security posture because of a lack of skilled security personnel (40%), excessive manual analysis (37%), and the increasingly remote workforce (37%).

But, as it affects the entire defensive toolkit, security teams find zero-trust implementation complex. They may need to add tools for segmentation, identity and access management, network monitoring, and even detection and response. They’ll also need to reconfigure existing tools to reflect the new security architecture. Adding extended detection and response (XDR) can also form a crucial part of a zero-trust implementation. Some XDR solutions offer user behavioral analysis, vulnerability management, and threat intelligence.

To make zero-trust work, many organizations will need to overhaul the entire cybersecurity department, as the current security team may not have the skills, experience or staff. And they may need to recruit additional staff or services. During any transition period, security teams must practice tightly-controlled change management throughout, as threat actors never go away. Companies, particularly those with limited cybersecurity resources, as well as federal agencies, have an increasingly urgent need to implement zero-trust. But its effectiveness both in the short and medium term will depend on a high level of planning and management.

Bruno Darmon, president, Cynet