Zero Trust: trust no one. It seems basic, but also seems somewhat unachievable: If you trust no one, then no one has access to your systems or data. Assets will be secure for sure, but also unusable. In fact, so unusable that business will grind to a halt, effectively eliminating the need for data at all, and along with it, zero trust.
But rather than being pointless, instead, think of Zero Trust as a metaphor or ‘motto’ for an approach to security, one that is informed by best practices. In the Boy Scouts, they have a motto, which the dictionary defines as a “a short sentence or phrase chosen as encapsulating the beliefs or ideals guiding an individual, family, or institution.” That Scout motto is ‘Be Prepared’. As a good motto should, it influences nearly every aspect of being a Boy Scout. It becomes a way of thinking and behaving: former scouts think ahead, plan for the worst and consider alternatives. In fact, ‘Zero Trust’ is in many ways similar to the motto ‘Be Prepared’, both as a statement but also in that it too influences the thinking and behavior of IT Security.
So Zero Trust is both a way of thinking as well as a way of behaving as a security organization. A key benefit is preparation. Zero Trust suggests that one should ‘be prepared’ for breaches: assume there will be a breach, and you can plan for it, work to avoid it, and recover from it if it does happen. It comes down to a mindset. If you are expecting that a breach will never happen to you, you’re in a great position to be surprised. You are also in a position where you’re not providing the optimal security posture to protect your business. The most secure organizations live every day assuming they have been or will be breached. They also assume that their current security controls are not good enough and are in need of continuous improvement. Preparation is the foundation for a Zero Trust model for security. And, as the name suggests, it creates a shift from a “trust but verify” methodology to a “verify before you trust” model.
So to define Zero Trust, it is a data-centric security model centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and must assume they will be breached.
This sometimes requires behavioral or even technical change within the organization to verify and validate every user, app, and device, as well as the target data being accessed, on every request, before granting access and to enforce least privileged access to minimize exposure. The benefit here is threat minimization, especially threats from lateral access once someone is inside the firewall. Validating everything at every step will increase security, help to better prepare the organization for breaches when they occur, and aid in reducing the impact of those breaches.
In our next installment, we will examine adopting Zero Trust on the Mainframe platform, one that has a few challenges to adopting Zero Trust, not the least of which is decades of privileges and IDs, changes to which could impact the business if not handled carefully.
Zero Trust: Verify every user, enforce least privilege and assume breach. Never trust, always verify.