If you read the security news or talk to security vendors, the buzz word of the year is ZERO TRUST. Many vendors tell you that they have the zero trust answer. The reality is a lot more complex.
Zero trust is not a product or even a family of products. It is not a platform. It is really a strategy built are one concept: “never trust, always verify:.
Vendors and their products are certainly a component of zero trust, but not a silver bullet.
Still, zero trust is a good idea and you should begin to understand it of you do not already.
One challenge with the traditional security strategy of “moat and drawbridge” is that the strategy worked reasonably well when you knew where the castle was. But today, there is no castle as people are everywhere and so are servers and services. Zero trust is designed to be flexible.
Zero trust is a journey. It requires education and research and even I can’t explain it in a blog post. Here are some things to consider in the zero trust journey.
- Assessing your existing security program’s Zero Trust maturity (people, skills, technology, capabilities, etc.). This includes understanding how people are doing their jobs and how existing business processes are done today, mapping existing technology capabilities, and understanding gaps.
- Mapping the output of this maturity assessment to the ZTX framework to understand what pillars you are strong in and which ones are lacking, specifically the capabilities in which you need to improve.
- Considering tools and technology to address the areas where you’re lacking and integrating Zero Trust implementation into existing business, IT, and security projects.
Here is a tutorial on zero trust.