CybersecurityPrivacySecurity

Zero Trust Architecture: Removing the Buzz

Muazzam MalikDivyesh MalkanAndrew Henry
March 29, 2023
6 min read

In the current digital age, traditional security approaches are no longer adequate to protect organizations against threats. With an increasingly hybrid workforce, use of cloud-based services and global interconnectivity, organizations should consider a different approach to cybersecurity known as zero trust architecture (ZTA). Zero trust is a term used interchangeably by security professionals in reference to a multitude of technologies, approaches, vendors, etc. We will review what zero trust architecture is, establish a common definition, remove the “buzz” out of the term and weigh its benefits as well as how to embark on a journey to implement ZTA principles.

This post is inspired by the growing interest in zero trust we see in our clients. They are asking questions like:

  • What value does zero trust bring compared to traditional network segmentation and access control?
  • What are the administrative and cost implications of adopting ZTA?
  • What changes in the skillset portfolio will ZTA require?
  • Will zero trust make it easier to validate compliance with regulations or introduce challenges?
  • How can zero trust be leveraged for operational technologies (OT) environments and more, etc?

We will ponder these and other questions in our ZTA series but first, let’s establish a common understanding of zero trust.

Background

ZTA was first proposed by John Kindervag, a former analyst at Forrester Research, in 2010, and has since been adopted by the industry as the holy grail of cyber defense. Google’s implementation of its BeyondCorp has showcased the strength of architecture in the corporate world. However, ZTA’s true roots can be traced even further back to the U.S. Department of Defense (DOD) implementation of its Black Core concept in the mid-2000s. Black Core is a dedicated routing system, where all traffic is encrypted and authenticated, and network devices are configured to enforce strict access controls and traffic filtering policies. Only authorized users with the appropriate clearance and credentials are allowed access and the network is continuously subjected to monitoring and auditing to detect any unauthorized activity or potential security breaches.

While zero trust is recognized in the industry as the ultimate cybersecurity architecture, there is tremendous confusion as to what it truly means for each organization and how to implement zero trust; and to pile on, tool-centric marketing has turned this confusion into “buzzword” marketing, which is often misinterpreted in the market.

Establishing a common definition

At its core, zero trust is a security architecture that assumes no user or device should be trusted by default and that all access to systems and data should be evaluated on a per-transaction basis. This differs from previous security architectures where organizations implicitly trusted employees or corporate-owned devices simply because they were behind the corporate firewall. The primary goal of zero trust is to prevent unauthorized access, limit lateral movement and minimize an organization’s attack surface and exposure. Zero trust requires both contextual awareness and data to evaluate the risk of granting access to a resource or system. This context can include factors such as the user’s identity, location, device and behavior.

Why it’s gaining traction

While the idea of “deperimeterization” or micro-perimeters was introduced over a decade ago, there has been resistance to adoption due to a multitude of factors; including, but not limited to, cost of hardware, legacy applications, misunderstanding and resistance to change by the business and perceived impact to users. This was turned upside down by the COVID-19 pandemic that led to the rise of remote work, cloud computing and mobile devices. Also fueling this shift is businesses’ exponential demand for data, applications and collaboration in a hybrid work model, which is forcing organizations to rethink their IT landscape.

This dramatic change in the cyber risk landscape has led cybersecurity teams to build a patchwork combination of tools acquired for a specific capability or to address a particular risk. Over the years, inventory of these best-in-class tools has grown, increasing security cost, overhead to already undermanned security teams and adding to existing operational requirements, all while detracting from the user experience.

The above scenario has created an opportunity for security practitioners who are now revisiting the decades-old “castle and moat” approach to security. Additional reasons to consider zero trust include but are not limited to:

  • Better management of risk from users
  • Increased cyber resiliency and visibility
  • Enhanced user experience
  • More effective cybersecurity cost structure
  • Better visibility and buy-in from management on organizations’ cybersecurity roadmaps

Common misconceptions about zero trust architecture

How to start the ZTA journey

Zero trust can take many forms and implementation may look very different to each organization. It is important for organizations to adequately prepare and start their approach to zero trust by establishing an understanding of these questions:

  • Why is the organization considering a shift to zero trust architecture and what are the risks and threats that ZTA will help mitigate that the current state does not? What are the benefits to adopting zero trust?
  • What are we trying to protect, and do we have a good understanding (inventory) of our assets and systems, user populations, data, applications and related crown jewels?
  • Who within the organization should be responsible for implementing zero trust and ensuring its ongoing effectiveness? How will the various parts of the organization, from IT to HR to the business leaders, be involved.
  • How will the organization go about implementing zero trust, what steps and technologies are needed, and what are the potential challenges to be addressed?

How Protiviti can help

Protiviti can help companies start their zero trust journey by assessing the company’s current security posture, identifying the attack and protect surface, identifying vulnerabilities and designing a zero trust reference architecture that meets the company’s unique needs. Protiviti can also provide guidance on implementing zero trust policies and procedures, as well as helping with the integration of zero trust technologies into the company’s existing IT infrastructure. With Protiviti’s expertise, companies can implement a zero trust framework that provides greater security and peace of mind.

Readers may also enjoy: The Shift to Zero Trust and Five Best Practices for Implementing Zero Trust.

To learn more about our security and privacy solutions, contact us.

Muazzam Malik

Managing Director
Security and Privacy

View all posts

Divyesh Malkan

Associate Director
Security and Privacy

View all posts

Andrew Henry

Senior Consultant
Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
18 Apr

Learn more about what GRC Managed Service is and what it can do for SAP S/4HANA and SAP cloud solutions in the latest #SAP Blog post. https://ow.ly/OMaL50RfsHw #ProtivitiTech

Reply on Twitter 1781035159438954997 Retweet on Twitter 1781035159438954997 Like on Twitter 1781035159438954997 Twitter 1781035159438954997
protivititech Protiviti Technology @protivititech ·
17 Apr

Protiviti is a proud sponsor of ServiceNow Knowledge 2024—a three-day conference all about #AI. Stop by our booth (#2503) to visit with our team and learn how the #ServiceNow platform makes business transformation possible. https://ow.ly/qa6p50Rh9wf

Reply on Twitter 1780627914964308382 Retweet on Twitter 1780627914964308382 Like on Twitter 1780627914964308382 Twitter 1780627914964308382
protivititech Protiviti Technology @protivititech ·
16 Apr

What is #DesignThinking? Could it help your organization? Find out how Protiviti uses it to help clients build net new applications and modernize legacy systems. https://ow.ly/fMK550Rfsoi #ProtivitiTech

Reply on Twitter 1780204913663873376 Retweet on Twitter 1780204913663873376 Like on Twitter 1780204913663873376 Twitter 1780204913663873376
protivititech Protiviti Technology @protivititech ·
15 Apr

Join our May 2 webinar designed for privacy and security professionals seeking to navigate the intricate nuances of data governance within the ever-evolving global regulatory landscape. Register today! https://ow.ly/hzrG50R4fTX #ProtivitiTech #DataPrivacy

Reply on Twitter 1779872392535212145 Retweet on Twitter 1779872392535212145 2 Like on Twitter 1779872392535212145 1 Twitter 1779872392535212145
protivititech Protiviti Technology @protivititech ·
12 Apr

The latest Technology Insights Blog post offers insight into the unique risks associated with Large Language Models (LLMs) and how to establish strategies to mitigate them. https://ow.ly/q3w550RfbXm #ProtivitiTech #TechnologyInsights

Reply on Twitter 1778890996282982442 Retweet on Twitter 1778890996282982442 Like on Twitter 1778890996282982442 Twitter 1778890996282982442
Load More