Over the years zero trust has been broadly misrepresented. Zero trust is so much more than a marketing buzzword for the security sector, it’s a complete framework. Ronan Murphy, co-founder of Getvisibility, lays out the steps enterprises need to take to develop a zero trust strategy.

The first thing we need to understand about zero trust is that it is a strategy. Over the years the term has been used incorrectly, mainly by security vendors who are presenting their products as Zero Trust solutions. Zero trust is a multi-tiered strategy to remove trust from digital systems. No single solution can achieve this.

Trust is a human emotion injected into digital systems. Allowing trust in is dangerous. It’s a serious vulnerability. Once a hacker compromises trust, they don’t need to do anything else, they’re in. For example, a user on the system has been validated and is trusted. They are trusted to access data that is integral to an enterprise’s business activity. But what happens if that user becomes dissatisfied with their employers or becomes complacent about security protocols? The bottom line is you cannot trust that people will act as you expect them to. The goal with zero trust is to eliminate that emotion in networks and systems. The best way to do that is with a holistic approach that includes solutions, policies, and best practice. 

Zero trust is a complete methodology 

Too often, organisations focused on the technology aspect of zero trust, but technology alone is not the solution. Today we are seeing a growing understanding of zero trust. In late August, the US Department of Defence’s (DoD) outlined its intention to implement a zero trust strategy organisation-wide by 2027.

The DoD’s strategy maps out 90 separate activities it needs to put into place. While some of these are technology related, most are not, according to Randy Resnick, director of DoD’s zero trust portfolio management office. 

The DoD’s strategy is based around seven pillars – users, devices, networks and environments, applications and workloads, data, visibility and analytics, and automation and orchestration. Resnick called the department’s plan “a radical change”. Certainly, if you look at zero trust as a whole, it can seem overwhelming and complex, but it needn’t be. It’s like that old saying: “How do you eat an elephant?” “One bite at a time.”  

How does an organisation implement a zero trust strategy?

A step-by-step approach is most effective when looking at zero trust. Think about breaking a big problem into multiple small problems. In this way, organisations can be more logical and structured.

Data classification: Any zero trust strategy needs to start with data. If you don’t know what you’re protecting, you can’t protect it. By classifying their data, organisations have a better understanding of it, and can use it and protect it more effectively. Classified data is tagged or labelled, making it easier to search for and find. The objective is to identify the data that is critical to your business outcomes or drivers – this will be your most sensitive data.

Find out where that data is: Once the data has been classified, you will need to identify where the data sits. Most organisations will have huge volumes of data, structured and unstructured. Sensitive data could live anywhere, but because you’d tagged it, it will now be easier to find and protect. 

Determine who can access that data: You now understand your data and know where it sits. Next you need to determine who can access which data. This step can be challenging. You need your employees to be productive and in some cases this will mean having access to sensitive data. The workaround here is setting policies and rules to limit what they can do with the data, for example, downloading it, sharing it etc.  

Continue to monitor: This is a vital step. With ongoing monitoring you can see what looks normal. In this environment, any breach of normal behaviour, whether that’s an unvalidated user trying to access sensitive data, or an unknown device downloading key material, is immediately flagged and investigated.  

Within all these steps you can deploy technology solutions, but you will need to shore up any technology with policies and best practice. Training will also form an important part of any zero trust strategy; you will need to bring employees up to speed on new data security and access policies. To be most effective, this will need to be regular training. Things change quickly in the world of cyber security, regular training will make sure your team is kept up to date.  

For any zero trust strategy to be successful, the focus needs to be firmly on removing trust. It has no place in the digital world. Your goal is to minimise the ability of hackers to steal your sensitive data. To do that, you need to replace emotion with best practice, advanced technology and common sense policies. 

Ronan Murphy is co-founder of Getvisibility. Connect with Ronan on LinkedIn at https://www.linkedin.com/in/ronanmurphy1/ for more insights.