.png?width=1816&height=566&name=brandmark-design%20(83).png "brandmark-design (83)")
Zero Trust technology is often seen as an architecture suitable for both small and large enterprises, leveraging advanced hardware and software to control network access and management. But SMBs can benefit as well by partnering with experts who have the expertise and technology to augment the organization’s own.
Wayne Mattadeen, Zero Trust, Cloud and Network Security Leader at Deloitte, recently spoke with TechChannels about how Zero Trust works, where it is effective, and how it differs from what some organizations already have in place.
Q. Zero Trust was originally coined as a marketing term but has evolved into a framework that sets basic ground rules for improving cybersecurity. How would you compare a zero-trust approach to security to the traditional security frameworks, such as the NIST Cybersecurity Framework, ISO 27001, Center for Internet Security Controls or the HITRUST Framework?
A. Zero Trust differs from traditional security frameworks by continuously verifying all users and devices, ensuring least privilege access, and actively monitoring all activities. While traditional frameworks focus on predefined steps and periodic reviews, Zero Trust is more dynamic and adaptive to modern cyber threats, making it more effective in today’s complex and evolving threat landscape.
Q. What are some of the potential risks associated with a Zero Trust implementation?
A. Potential risks of a Zero Trust implementation include complexity in integration, high initial costs, lack of internal skills to implement and operate new architecture, resistance from end users if the changes to technology, and organizational processes that are not managed effectively.
Q. One of the original goals of a Zero Trust implementation that John Kindervag identified a decade ago when he coined the term was that it kept unknown users out of the network and only let authorized users access what they needed. How well does it deal with threats that already are in the network, such as insider threats, shadow IT, misconfigurations and the complex management monitoring and policies for those inside the firewalls?
A. Zero Trust handles internal threats by continuously verifying all users and devices, ensuring least privilege access, and actively monitoring all activities, making it effective against insider threats, shadow IT, and misconfigurations. The analytics and automation pillars of the Zero Trust framework provides continuous monitoring and automated intelligence-driven response to detect threats in real time. While Zero Trust is robust, it might miss some nuanced components without proper implementation, like addressing human errors in policy management.
Q. Zero Trust is often directed at enterprises due to the costs and technological wherewithal needed to implement it. How can SMBs implement a Zero Trust environment without breaking the bank?
A. Managed Security Service Provider (MSSP) and cloud-based zero trust providers are excellent options for SMBs implementing a Zero Trust framework. MSSPs offer specialized expertise, continuous monitoring, and scalable solutions, making it easier for SMBs to adopt Zero Trust principles without significant upfront costs. Cloud-based services, especially those than can be consumed via subscription, provide a cost-effective way to access advanced security technologies and regular updates, ensuring robust protection and simplified management. By leveraging either or both options, SMBs can enhance their security posture efficiently and affordably.
Q. One popular component to the Zero Trust environment is the Zero Trust Network Architecture (ZTNA), which promises to reduce network vulnerabilities, especially moving laterally through a network once you gain access. However, it’s not a direct replacement for the aging and vulnerable virtual private network. Where is ZTNA the best option and where is the VPN a better choice?
A. ZTNA is best for remote access, securing cloud applications and security-focused environments requiring granular control, due to its continuous verification and dynamic security. VPNs remain useful for accessing legacy systems and environments where full network access is required.
Q. As with any cybersecurity framework, there are nuggets of insights that are often missed, both good and bad. What are some of the nuances of zero trust, again, both good and bad, that CISOs often forget or simply don’t know about and why are they essential for CISOs to know?
A. Zero Trust supports remote work, enables seamless adoption of cloud, enhances collaboration between teams (network, security, application, operations), simplifies operations and reduces redundancy. However, it requires significant cultural shifts, demands new skills and extensive training, and involves complex process overhauls. These nuances are essential for CISOs to know as they start their Zero Trust journey.
