How to Trust No One in Just Four Steps

Going from planning to implementing zero trust

Jon Lin
How to Trust No One in Just Four Steps

About a year ago, I penned a piece in Forbes on zero-trust security. At a high level, zero trust (or “ZT” for the cool kids) shifts defenses from traditional, network-based perimeters to focus on users, assets and behaviors. Zero trust, as the name implies, assumes there is no implicit trust granted to users or devices.

I’m sharing this because I think it’s very timely, as enterprises are still in various stages of adoption. In a recent report, Gartner predicted that over 60% of organizations will embrace zero trust as a starting point for security by 2025; however—and to me this is the really interesting part—more than half will fail to realize the benefits.[1]

The Gartner report further states:

“Focusing on technology and marketing messaging—instead of the cultural and security program of zero trust—risks missing the true tasks, objectives and steps required to effectively implement a program.”

Organizations that want to achieve the benefits need a cultural shift and clear communication that ties zero trust to their business outcomes. Hopefully some of the “planning to implementation” steps below will help you. Happy reading!

  • Jon

It’s been just over a year since Biden announced the Executive Order on Improving the Nation’s Cybersecurity—directing the federal government to transition to a “zero-trust” architecture—and the National Institute of Standards and Technology (NIST) recently closed its call for public feedback on the zero-trust architecture implementation.

Zero trust has now become a gold standard for many organizations, and one of necessity. So what is zero trust and why does it matter?

As with anything technology related, security tends to lag behind. When the internet first entered our meme-free lives, it was done so with the intention of connecting people on a massive global scale. Cybersecurity threats, data breaches, phishing, DDoS attacks and hacks had not even entered our vocabulary.

Yes, those early carefree days of digital life were filled with positive intent and blind trust in the architecture of our trendy and bulky devices. Security wasn’t top of mind, and we often assumed it was already there. For example, when we first set up that shiny metallic Blackberry 850, it came with a default password (often 123456) that we could then reset—if we got around to it.

Later, we may have opted out of multifactor authentication for online checking because it took more time than just entering our passwords (and before social media, we assumed no one could guess our pets’ names or the year we were born). This often meant we deprioritized extra precautions, expecting security protections must already be built in.

Zero trust course-corrects these assumptions. It requires verifying every user, device, application and transaction, assuming none should be trusted. In short, zero trust chooses security over convenience and inertia.

According to a recent survey by the Cloud Security Alliance (CSA), “77% of respondents are increasing their spend on zero trust over the next 12 months,” “80% of C-level executives have zero trust as a priority for their organizations” and “94% are in the process of implementing zero trust.”

While there’s been a lot of learning, investment and planning, nearly one year later, many government agencies are still finding it challenging to execute a zero-trust strategy.

For companies operating in a digital environment and federal agencies, here are four things to consider when making the transition from planning to implementing zero trust:

1. Recognize that zero trust is an approach, not a solution or a service.

Zero trust at its core is about shifting perceptions and strategy. Instead of “trust but verify,” we should be “verifying first.” Ensuring access controls and endpoint security are in place will help lay the foundation for zero-trust implementation.

2. Adopt a private peer-to-peer platform.

Private interconnection enables direct and secure connections between parties. Private interconnection removes the need to access the public internet to interact with interagency partners and digital service providers, creating a more secure and segmented environment for data transfer.

3. Continue to commit.

Zero trust requires continued commitment. Zero-trust approaches often involve a vast network of clearly defined permissions, but organizations are constantly evolving and growing. This means zero-trust efforts need continued administration, guaranteeing verification of every new user, device, application and transaction on a regular basis.

4. Avoid vendor lock-in.

A vendor-neutral environment is the right access point for cloud adoption. Not only does this allow for more flexibility and customization including the option of hybrid multicloud, but it can also often save money. According to 451 Research’s Cloud Price Index, companies can save an average of 50% by picking from multiple cloud providers.[2]

Research from MarketsandMarkets projects that the global zero-trust security market will grow from $19.6 billion (since 2020) to $60.7 billion by 2027. This is a major industry overhaul. A zero-trust framework includes a collection of technologies and behavioral surveillance.

Holistically implementing zero trust can be a challenge, but it is an essential step for protecting against cyberthreats. By recognizing that zero trust is a strategy, opting for private interconnecting of networks, maintaining commitment and avoiding vendor-lock-in, businesses and government agencies alike can keep their data safe and maintain trust with those who matter most.

 

[1] Gartner®, “Predicts 2023: Zero Trust Moves Past Marketing Hype Into Reality,” John Watts, Jeremy D’Hoinne, Dale Koeppen, Charlie Winckless, 6 December 2022.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

[2] 451 Research Cloud Pulse Index, Q3 2023

Subscribe to the Equinix Blog