“Trust no one” may be a harsh motto to live by, but when it comes to data privacy and security, those words just make good sense. Such cynical wariness is the strategy behind “zero trust”–an IT security model built around the idea that a company should not trust its data with anyone–not even those within the organization.
Yes–it’s as strict as it sounds. Under zero trust–a concept introduced by Forrester Research in 2010–no IP address or machine can be granted access to data until its operator’s identity is thoroughly verified. Zero trust is a step above the standard castle-and-moat approach, where security teams defend against outside threats while assuming everything on the “inside” (account holders) does not pose a threat. This method has proven to be faulty because it allows hackers to move through internal systems so long as they can get across the moat (an organization’s firewall). And hackers have shown that getting across the moat is all-too-easy.
Forrester Research–identifies five steps to a zero trust model:
- Identify Sensitive Data and Assets (What is Collected?)
- Map the Flows of Your Sensitive Data (Where is it Stored, Who Has Access?)
- Create Microperimiters (Minimize Access)
- Continuously Monitor Your Data Ecosystem
- Embrace Security Automation (Multi-Factor Authentication)
Under a zero trust philosophy, companies are required to enforce security measures on a micro-level, verifying the identity of every single individual or machine seeking access. This calls on technologies like automatic multi-factor authentication to grant access to an organizations services and systems.
In addition to requiring additional layers of authentication, zero trust involves giving users the minimum amount of access they need to carry out their job. Much like the concept of privacy by design, zero trust is about enforcing a mindset from the bottom-up; just because someone is in your organization, doesn’t mean you need to grant them unnecessary access. To earn access, you must prove that you are trustworthy. As we’ve seen from several high-profile breaches, stopping damage is all about controlling access.
Implementing zero trust goes deeper than buying some new technology. Often, it requires overhauling long-held security infrastructure and moving to more modernized and easily-segmented storage approaches, such as the cloud.
Though it may take some work and money to adapt and organization to the concept of zero trust, the effort will likely pay off in the long run. As lawsuits citing new regulations–like the California Consumer Privacy Act (CCPA)–pile up, and with cybercrime projected to cost the world $6 trillion in 2021, zero trust will likely become a standard operating policy.