Zero TrustNetwork SecuritySecurity
Blog • • 5 minute read

A CTO'S Primer on Zero Trust: Part 1 - Understanding the Fundamentals

Zero trust revolutionized cybersecurity by assuming threats can originate from anywhere, emphasizing "never trust, always verify." This approach focuses on protecting critical assets through iterative inspection and stringent access policies. By integrating modern technologies, zero trust enhances both security and business resilience, making it a compelling strategy for today's digital landscape.

In this blog

  1. Step one: The protect surface
  2. Step two: The policies

In the continually changing world of cybersecurity, zero trust is an essential strategy for protecting digital assets from increasingly advanced threats. The basic premise of zero trust is both simple and profound: "Never trust, always verify." It upends perimeter-based security by assuming threats can come from anywhere, inside the network or out. This model of democratized distrust makes zero trust an attractive choice for today's cybersecurity challenges, which are greater than ever.

Zero trust is based on the fundamental concept of safeguarding "protect surfaces" — well-defined, small areas that contain critical data, applications, assets or services. Whereas an attack surface is something that a potentially nefarious actor can interact with to compromise your cybersecurity, a protect surface is something that you can interact with in a manageable and straightforward way. It's like using clear signs to navigate a labyrinth rather than trying to find your way in an aimless boundless desert.

 Step one: The protect surface

Consider the protect surface as the vault in which an organization stores its crown jewels. It all begins with identifying and designating the factors that, when interacting with one another, form a protective bubble and secure the vault from breach. These elements must be visible and behave as intended for an organization to be safe from internal and external threats. 

This act of protecting the vault and the crown jewels begins, quite logically, with an understanding of what must be shielded. And this level of inspection must be iterative. You can't do it all at once. Even if you had the resources to do it, you shouldn't. Start small. Get a win. Reflect and then iterate. Rinse and repeat, as the shampoo bottle likes to tell us.

The backbone of zero trust architecture integrates modern technologies and methods. Whether it's micro-segmentation to curtail lateral movement or advanced identity and access management protocols ensuring least privilege access, tech is the orchestra conductor that ensures every component functions to its fullest.

 Step two: The policies

The next critical step is to develop effective policies. Policies dictate the conditions under which users and systems can interact with the protected resources. In a world of zero trust, the default stance is "deny all." Instead, access is granted based on stringent, almost ridiculous, criteria. This pays for the appearance of security with an interior fortress. It's not a sufficient condition because zero trust doesn't mean always granting access to what you should have access to.

Yet, putting zero trust into practice isn't always straightforward. It can be a struggle to adopt a brand new security design when you have ancient, big-box security appliances (and lots of other security-related hardware) that are besieged by a complex array of insecure software and services on which you've built your security architecture of the last decade and a half. Attempting to program security into your infrastructure when the whole thing is an unfathomably complicated web of mostly insecure, poorly controlled, and often poorly understood parts. This can and does result in trying to solve an unsolvable problem in "security by design." It's far too complicated to solve all at once. What's the old adage about how you eat an elephant? (One bite at a time.)

The zero trust model aligns not just with the aims of the cybersecurity business but also with the overarching objectives of overall business resilience. And we think that's a good development. Rather than being seen as a business constraint, the zero trust model now seems to be a business enabler that allows continued growth.

This operational shift is now being recognized not just by enterprises but by governments, as well. Zero trust is a governance model that handles not just the what and how of security but, even more significantly, the who. For a long time, the directive and the model were treated as idealistic. But for those who are taking up the mantle now, led by former Forrester analyst John Kindervag, we see a much more down-to-earth and practicable definition and conversation emerging around zero trust. It's not merely about the pillars; it's about iteratively securing a prioritized list of protect surfaces, upheld by ever-maturing security policies. Like pursuing good health, it's not something you buy or do once (like me at the gym last Saturday); it's a mindset you adopt and commit to for the long haul.

Next, we'll look at the actual problems that emerge while trying to implement zero trust, the way WWT helps solve those problems, and the way those solutions help WWT's customers build not just more secure networks but more cyber resilient ones. Those terms, anyway, are the way cybersecurity firms and network consultants have recently taken to talking about this transformative process.

Join me on this series of "A CTO's Guide Primer on Zero Trust."