How the zero-trust cybersecurity model of 'trust nothing, verify everything' is key to a remote-first work environment
- Zero trust is more than just cybersecurity — it's an evolving enterprise strategy.
- The framework assumes your network is compromised and authenticates users via texts or biometrics.
As the world of cybersecurity adapts to the changing landscape of remote work, the message from corporate boards to C-suites and departmental managers is becoming far more basic: "Trust nothing, verify everything."
The statement is the crux of the zero-trust approach to cybersecurity, which is a framework that authenticates a user every time they try to use their company's system.
When a zero-trust environment is in place, the IT team that manages corporate networks and cloud environments can identify and validate every user, device, and application each time someone attempts to access a company asset, including a server on the corporate network, a cloud-based storage system, or a software-as-a-service application such as Salesforce or Google Workspace.
In practice, the zero-trust strategy "is an aspirational collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege access decisions in information systems and services," said David London, a managing director of the Chertoff Group.
Under the zero-trust framework, even if a user has valid username and password credentials, they will always be denied access to the system if their device has not been validated as an approved device tied to that user.
Benefits of a zero-trust strategy
If an authorized user's credentials are stolen, a cyberattack can be stopped in advance if the device or software is not successfully validated. In some circumstances, a stolen laptop — paired with compromised credentials — may only give the attacker access to a single application, which prevents them from moving through the network to steal data, plant malware, or otherwise wreak havoc.
"Zero trust is not only a cybersecurity thing. It's evolving into an enterprise strategy and design conversation that is rooted in strong principles," said Deepak Mathur, the managing director of cybersecurity services at KPMG. "So far, zero-trust conversations have revolved around pieces to tech and solution, but very soon we will see business goals and outcomes being attached to zero trust."
Steps to take to secure a company's network
There are a number of security measures that can move toward zero trust quickly and efficiently.
Some of these actions include implementing multifactor authentication, employing a virtual private network, or using a Zero Trust Network Access environment to replace aging VPN technology with more secure zero-trust elements. The Zero Trust Network Access environment also employs security software on all devices and continually tests and validates that the security controls are functioning correctly.
These features are especially important when remote users work outside the direct control of the corporate security team. Companies need to make sure their devices — which may now reside on home networking devices — have the appropriate software and security-related updates and that employees working from home use the right security precautions when accessing corporate networks and information.
Building a zero-trust framework in an organization
Implementing a zero-trust environment at a company takes planning and foresight. Mathur said leaders should establish a zero-trust center of excellence to support the larger security strategy.
"So many functions can be impacted by a breach and play a role in securing the organization. The stakeholder group for planning and implementing a zero-trust model should expand well beyond the security team," he said.
Mathur added that identity, networking, application development, endpoint technology, and legal and cloud leaders were just some of the important features that could make up a company's zero-trust center of excellence.
"The CEO should develop a specific zero-trust definition for the company and key principles, baseline the current state posture, and define a road map of adoption and priority," Mathur said. "Expect the center of excellence to be very active the first two or three years of the transformation journey."