Moving to Zero Trust Architecture as a standard
By Jim Hietala, Vice President of Business Development and Security at The Open Group
There’s a huge buzz around Zero Trust in the business world. Unlike traditional information security, Zero Trust is a security framework that trusts NO ONE. It requires all users – whether in or outside a company’s network – to be authenticated, authorized, and continuously verified before being allowed inside.
Zero Trust promises reduced risk, improved productivity, enhanced business agility and a healthier bottom line. In fact, a recent study shows Zero Trust approaches resulted in 50% fewer breaches for businesses – along with IT savings of up to 40%.
And organizations all over the globe are embracing it. Indeed, according to a 2022 Okta report, 97% of organizations have already implemented, or plan to implement, Zero Trust security this year – up from just 16% in 2019.
It now seems every security vendor in every security market niche is savvy to the trend, and promising organizations that their products will deliver this in-demand, next-gen security architecture. However, much like exaggerated claims of ‘sustainability’, ‘Zero Trust’ should also be taken with a grain of salt. Organizations would do well to parse through the hype.
Trends Driving the Move to ZTA
The following factors are key in driving the trend for Zero Trust Architecture (ZTA):
- Cyber attackers have become increasingly more adept at penetrating networks then moving laterally once inside
- The traditional perimeter security model is becoming ineffective in evolving enterprise
- More and more businesses, clients and customers, are using the cloud and personal devices to access internal networks, which blurs the boundaries between insiders and outsiders. Nowadays, the user is the perimeter.
How Does Zero Trust Architecture Work?
Zero Trust Architecture (ZTA) assumes there’s no network edge – and that networks can be local, cloud-based or a combination of both. It therefore requires a robust set of controls. ZTA delivers granular perimeters and micro-segmentation that limits attackers from moving around internal networks – and in doing so, reduces the ‘blast radius’ of an attack and myriad potential threat vectors.
When a day doesn’t seem to go by without another news story of a high-profile cyberattack, ZTA is looking increasingly like a company’s first line of defence. (Just last month, Cisco reported they’d had their corporate network breached via an employee’s VPN – which, thanks to their security team, was contained in time.)
ZTA also enhances an organization’s security by leveraging additional data to drive security decision making around risks, threats, security posture and identity attributes.
What Changes with ZTA that Affects Information Security Management?
Traditional Infosec Management approaches are network-focused and include ISO 27001/27002; CIS Top 20 Critical Security Controls, and O-ISM5 The Open Group.
Meanwhile, ZTA is asset and data-centric, and has a greater focus on Authentication, with more security controls aimed at authentication, devices, apps, APIs, micro-segmentation – and the data itself (applying encryption, for example).
With ZTA in place, there is also less need for bolt-on security systems, traditionally used to secure networks, while categories of security solutions – such as Network Access Control and IDS/IPS – must be either re-engineered to fit the new model or dropped altogether. There are also fewer point solution boxes to manage.
How will ZTA Impact on Information Security Managers’ Day-to-Day Roles?
With ZTA in place, Infosec Management starts to look a little different. The Infosec Manager will need to manage more authentication factors, such as one-time passwords, IP addresses and biometrics. And with more possibilities for authentication, the Infosec Manager will also be required to focus more deeply on security policy decisions – determining who is using which device, for what, from where, and when?
Managers will also have different controls to manage – micro-segmentation, complex authentication, and data security – and if currently using ISO 27001/ 27002 they will need to re-evaluate their selection of controls and opt for those weighted towards delivering on ZTA attributes. While life would be nice and simple if all applications were web-based and SSO-capable, Infosec Managers will also have the job of dealing with legacy applications.
Zero Trust is on Track to Become a Global Standard
Zero Trust security has been informally described as a ‘Standard’ for years. However, its status as a ‘Standard’ is currently in the process of being formalized.
While many vendors create their own definitions of Zero Trust, there are a number of standards from recognized organizations that will help business leaders align their organizations to ZTA – such as NIST® 800-207 and IETF®.
At The Open Group, we are in the process of creating our own standard ZTA framework. We’ve created 9 Commandments that provide a non-negotiable list of criteria for Zero Trust in any organization. This clear set of directives will allow our communities to build the most robust Zero Trust frameworks and solutions.
Given the state of maturity across the Infosec industry, organizations moving to ZTA – to leverage its many potential benefits – will also need to make their way through a lot of vendor hype before settling on a solution. And with ZTA bringing changes to traditional Information Security Management, Infosec Managers will need to implement and manage a vast array of new controls.
However, with more and more companies migrating to cloud-first systems – and cyber attackers becoming increasingly adept at penetrating networks – it is clear it is time for a new security model. And for many global businesses, ZTA has been a highly effective solution.
About the Author
Jim Hietala is Vice President, Business Development and Security for The Open Group, where he manages the business team, as well as Security and Risk Management programs and standards activities. He has participated in the development of several industry standards including O-ISM3, O-ESA, O-RT (Risk Taxonomy Standard), O-RA (Risk Analysis Standard), and O-ACEML. He also led the development of compliance and audit guidance for the Cloud Security Alliance v2 publication. An IT security industry veteran, he has held leadership roles at several IT security vendors and is a frequent speaker at industry conferences. He has participated in the SANS Analyst/Expert program, having written several research white papers and in several webcasts for SANS. Jim can be reached online at LinkedIn and at The Open Group website.