January 22, 2024
Evolving the Zero-Trust Security Model for Business
An effective approach can help organizations get the most out of their zero-trust security initiatives.
Buck Bell | John Candillo | Gary McIntyre | Jeremiah Salzberg | Jeremy Weiss
The cybersecurity landscape evolves constantly, and as the concept of zero-trust security has emerged in recent years, it has evolved as well. This evolution can be seen clearly in the updates that agencies such as the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology have made to their guidance around zero trust.
As zero trust continues to evolve, it is best viewed as a strategic approach to security that delivers clear business value. It’s not a product that an organization can purchase to be a magic bullet against security challenges. Rather, it is a framework that can lead organizations to significant benefits such as an enhanced user experience, improved business agility and reduced risk.
Achieving zero trust requires a transformation in culture. Tools such as effective identity and access management solutions are necessary, but they must be deployed strategically and integrated with other elements, such as data governance. Among the most critical use cases for zero trust are implementing principles within an organization’s backup and recovery systems, enhancing the secure experience of remote workers and securing complex cloud infrastructures. When done effectively, zero trust can help leaders make more strategic investments in security and more naturally achieve regulatory compliance.
What are your next steps with zero trust?
CDW’s Rapid Zero Trust Maturity Assessment
can help you see the path.
The cybersecurity landscape evolves constantly, and as the concept of zero-trust security has emerged in recent years, it has evolved as well. This evolution can be seen clearly in the updates that agencies such as the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology have made to their guidance around zero trust.
As zero trust continues to evolve, it is best viewed as a strategic approach to security that delivers clear business value. It’s not a product that an organization can purchase to be a magic bullet against security challenges. Rather, it is a framework that can lead organizations to significant benefits such as an enhanced user experience, improved business agility and reduced risk.
Achieving zero trust requires a transformation in culture. Tools such as effective identity and access management solutions are necessary, but they must be deployed strategically and integrated with other elements, such as data governance. Among the most critical use cases for zero trust are implementing principles within an organization’s backup and recovery systems, enhancing the secure experience of remote workers and securing complex cloud infrastructures. When done effectively, zero trust can help leaders make more strategic investments in security and more naturally achieve regulatory compliance.
What are your next steps with zero trust?
CDW’s Rapid Zero Trust Maturity Assessment
can help you see the path.
The Zero-Trust Security Landscape
Cyberattacks are growing in volume and sophistication, leaving IT leaders scrambling to identify and adopt effective security solutions that will keep their data and systems safe. At the same time, the network perimeter has effectively disappeared, meaning it is no longer effective for organizations simply to protect their environments from outside attacks. Instead, security professionals must operate under the assumption that environments have already been compromised, then prevent cybercriminals from attacking their networks from the inside.
Enter zero trust.
In just a few years, zero trust has gone from a relatively little-known industry concept to a foundational element of modern cybersecurity strategy. This shift is a response to a rapidly evolving digital landscape that now incorporates cloud computing, continuous development and deployment practices, mobile connectivity and widespread remote work.
In government, the 2021 executive order mandating zero trust pushed federal agencies to catch up with modern strategies and embrace new technologies. However, the model is becoming increasingly popular in other industries, especially those that are subject to strict data safety regulations. For example, according to Okta’s The State of Zero Trust Security 2023 report, 84 percent of software firms increased their budgets for implementing zero-trust measures over the previous year. That number was 81 percent for healthcare organizations and 80 percent for financial services companies.
61%
The percentage of organizations that had a defined zero-trust security initiative in place in 2023, up from just 24 percent in 2021
Source: Okta, The State of Zero Trust Security 2023, October 2023
Although many organizations are early in their zero-trust journeys, those that have begun to implement their strategies are already seeing significant benefits. For instance, zero trust is creating a better user experience for remote workers. By adopting solutions such as a secure access service edge or enhancing and streamlining their application sign-on process, organizations can provide identical experiences to their in-office and remote employees.
A well-defined zero-trust strategy can also help organizations save money, even as they improve their overall cybersecurity posture. By focusing security professionals’ efforts on a strategic model, zero-trust architecture can eliminate waste and redundancy while also reducing and isolating risk.
The Zero-Trust Security Landscape
Cyberattacks are growing in volume and sophistication, leaving IT leaders scrambling to identify and adopt effective security solutions that will keep their data and systems safe. At the same time, the network perimeter has effectively disappeared, meaning it is no longer effective for organizations simply to protect their environments from outside attacks. Instead, security professionals must operate under the assumption that environments have already been compromised, then prevent cybercriminals from attacking their networks from the inside.
Enter zero trust.
In just a few years, zero trust has gone from a relatively little-known industry concept to a foundational element of modern cybersecurity strategy. This shift is a response to a rapidly evolving digital landscape that now incorporates cloud computing, continuous development and deployment practices, mobile connectivity and widespread remote work.
61%
The percentage of organizations that had a defined zero-trust security initiative in place in 2023, up from just 24 percent in 2021
Source: Okta, The State of Zero Trust Security 2023, October 2023
Although many organizations are early in their zero-trust journeys, those that have begun to implement their strategies are already seeing significant benefits. For instance, zero trust is creating a better user experience for remote workers. By adopting solutions such as a secure access service edge or enhancing and streamlining their application sign-on process, organizations can provide identical experiences to their in-office and remote employees.
A well-defined zero-trust strategy can also help organizations save money, even as they improve their overall cybersecurity posture. By focusing security professionals’ efforts on a strategic model, zero-trust architecture can eliminate waste and redundancy while also reducing and isolating risk.
The State of Zero-Trust Security: By the Numbers
65%
The percentage of cybersecurity professionals who say they are prioritizing multifactor authentication, more than any other zero-trust control
Source: Cybersecurity Insiders, 2023 Zero Trust Security Report, March 2023
65%
The percentage of IT leaders who cite broader data security and better detection of advanced threats and attacks as a reason for implementing zero-trust architecture
Source: Zscaler, The State of Zero Trust Transformation 2023, December 2022
38%
The percentage of organizations that rank people as the top priority for their security projects, followed by network (19 percent) and data (17 percent)
Source: Okta, The State of Zero Trust Security 2023, October 2023
The State of Zero-Trust Security: By the Numbers
65%
The percentage of cybersecurity professionals who say they are prioritizing multifactor authentication, more than any other zero-trust control
Source: Cybersecurity Insiders, 2023 Zero Trust Security Report, March 2023
65%
The percentage of IT leaders who cite broader data security and better detection of advanced threats and attacks as a reason for implementing zero-trust architecture
Source: Zscaler, The State of Zero Trust Transformation 2023, December 2022
38%
The percentage of organizations that rank people as the top priority for their security projects, followed by network (19 percent) and data (17 percent)
Source: Okta, The State of Zero Trust Security 2023, October 2023
- ZERO-TRUST CHALLENGES
- ZERO-TRUST DEPLOYMENT
- BENEFITS OF ZERO TRUST
- KEY ZERO-TRUST USE CASES
Many leaders recognize the value of zero-trust architecture but are unsure how to implement, prioritize and budget for it. Expert partners such as CDW can help clarify ways to create a detailed strategy around established principles, where to begin building a strong foundation and how to incorporate existing security solutions.
DEMONSTRATE FULL IT VALUE: Leaders seeking support for zero-trust initiatives need to communicate their value. Some find this challenging because zero trust is an overarching philosophy rather than a clearly defined endeavor with a limited scope. In addition to stronger security, this approach simplifies network architecture and increases IT visibility, which leads to greater efficiency.
USE BIG-PICTURE BUDGETING: Creating accurate near-term and long-term budgets for zero-trust initiatives can be difficult when organizations are just getting started. Establishing an effective foundation may require additional investments but can also reduce technical debt as older technologies are retired. Generally, organizations can use existing tools and increase their efficacy within the zero-trust framework.
Click Below to Continue Reading
BUILD MATURITY OVER TIME: Organizations will need to align their zero-trust strategy with established guidance, setting a baseline for maturity and increasing capabilities over time. At the optimal level, organizations have the foundational components with advanced capabilities in place — people, processes and technologies — and know how to apply zero-trust principles consistently to new and changing environments.
FOCUS ON PRIORITY DOMAINS: Organizations may want to start with a specific domain, such as identity and access management — a prerequisite for zero-trust architecture. Without a solid method for establishing identity, organizations can’t move to the next step, which is configuring who should have access to what. These capabilities are defining features of a zero-trust environment.
FOLLOW THE RIGHT SEQUENCE: It can be difficult to achieve visibility across all data lifecycles, data sprawl and unstructured data, but organizations need a clear picture of the flow: where data lives, who accesses it and which systems talk to each other. Visibility and governance are essential to understanding risk in order to define and enforce the appropriate policies and standards.
Getting zero trust right requires understanding the relationship between strategic and tactical implementation. A strategic approach is essential. For example, organizations must mature their identity and access management and data governance capabilities individually before integrating them into a zero-trust approach. As organizations plan for and move through these processes, expert assessments can be extremely useful to evaluate security issues and facilitate conversations about connecting zero trust to business objectives.
The Cybersecurity and Infrastructure Security Agency (CISA) identifies five pillars on which to build a zero-trust strategy:
1
IDENTITY, including multifactor authentication, identity lifecycle management, visibility into user behavior analytics, identity and credential administration, and risk assessment
2
DEVICE, including configuration management, real-time threat analysis, asset tracking and patching
3
NETWORK/
ENVIRONMENT, including macro- and microsegmentation, protocol encryption, machine learning–based threat protection, and Infrastructure as Code automation
4
APPLICATION WORKLOAD, such as continuous access authorization, application security testing, and dynamic application health and security monitoring
5
DATA, including classification, least-privilege access controls, end-to-end encryption, access logging, and immutable data backup and restore
Click Below to Continue Reading
As organizations establish secure access and integrate security tools, a maturity assessment can add clarity, structure and guidance to a zero-trust strategy.
SECURE ACCESS METHODOLOGY: Zero trust is based on the ability to establish and maintain authorized access to systems or applications, which means that an identity-focused process with multifactor authentication is just the first step.
Conditional access also reflects the dynamic approach that is key to zero trust. For example, if a user’s device hasn’t been updated to the latest operating system, the user could be denied access to certain applications. Likewise, access may be terminated if active threats are triggered from the user’s device or suspicious behavior alerts are tagged with the user’s identity in near real time.
Microsegmentation tools are central, supporting the creation of a least-privilege network by establishing a perimeter around every device. Microsegmentation yields visibility into system-to-system connections so organizations can begin to build segmentation rules and policies.
INTEGRATION STRATEGY: Moving to zero trust involves reassessing the existing environment to determine how key technologies and toolsets can be integrated and optimized. Organizations that have moved much of their infrastructure to the cloud generally find it much easier to implement zero trust, assuming that their staff have the necessary skills to do so. For example, teams should understand how applications are developed and published in the cloud so they can verify appropriate security before moving workloads into production.
On the other hand, organizations with traditional data center environments or operational technology environments will find it more challenging. As organizations progress in their zero-trust programs, there may be areas where it is not currently possible to achieve optimal maturity as defined by CISA.
RAPID ASSESSMENT SERVICES: CDW’s Rapid Zero Trust Maturity Assessment is a four-week engagement that measures an organization’s IT environment against CISA’s Zero Trust Maturity Model and five foundational pillars. We collaborate to develop a roadmap that helps drive the organization’s zero-trust strategy and prioritize cybersecurity projects. This includes actionable recommendations to effectively close gaps around people, processes and technology. The assessment also considers future goals and practices to ensure the recommendations have long-term viability and value.
Part of the roadmap is helping organizations determine which tools they can leverage, where gaps exist and how to begin tackling use cases with the capabilities on hand. To extend governance and visibility across the organization, zero trust requires a blend of the tactical — for example, understanding how sensitive applications work so they can be properly secured — and the strategic.
PRIORITIES AND ROADMAP: A maturity assessment can be a valuable way to build consensus among key stakeholders about priorities to target while instilling a cultural view that zero trust should be included in all future IT planning as an iterative philosophy.
Every organization must build a foundation, get the right tools in place and begin implementation where zero trust makes the most sense to ensure it has the most impact. However, each organization’s blueprint will be unique, which is why a customized roadmap can shorten the learning curve while saving time and money in the long run.
In addition to boosting overall security posture, zero-trust architecture can help organizations advance their IT and business objectives. With zero-trust investments, business and IT leaders can more effectively guide strategic cybersecurity spending, meet compliance requirements and boost business agility.
GUIDE STRATEGIC INVESTMENTS: Implementing a zero-trust security strategy requires organizations to streamline their investments, giving IT and business leaders a lens through which to view potential new solutions. This is especially important for organizations with significant technical debt. In such scenarios, leaders can sometimes become overwhelmed at the scope of the challenge in front of them and may not know where to start.
However, a zero-trust strategy creates an opportunity to leapfrog technical debt and make strategic investments that work together toward a common goal. In fact, cybersecurity leaders who build a zero-trust architecture may even find opportunities to repurpose their existing cybersecurity investments more effectively. By letting zero-trust principles guide their investments, organizations can avoid the pitfall of buying disparate, siloed solutions that may not achieve their objectives.
Click Below to Continue Reading
MEET COMPLIANCE REQUIREMENTS: Cybersecurity and compliance are distinct but related topics. Even a nascent zero-trust framework is likely to align with many of the mandates issued by regulatory bodies and industry groups, helping organizations simplify their path to compliance. According to one 2023 survey, 42 percent of cybersecurity leaders cite compliance with regulatory and industry mandates such as HIPAA, the European Union’s General Data Protection Regulation and the Payment Card Industry Data Security Standard as a key driver of their organization’s zero-trust strategy. In the survey, regulatory compliance ranked above other important drivers such as the desire to reduce insider threats and improve operational efficiency. Additionally, organizations that adopt a zero-trust security strategy may receive more favorable terms from cyber insurance providers, given their reduced risk profile.
ENHANCE BUSINESS AGILITY: A zero-trust strategy should be seen not only as a security framework but also as a business enabler. Zero-trust architecture can help organizations streamline the security measures they deploy to protect their data and allow them to focus on the business outcomes their IT systems deliver. In short, zero trust enables the sort of secure digital transformation that has become essential for organizations to stay relevant and competitive in their fields. With zero-trust solutions, enterprises can embrace emerging technologies such as artificial intelligence without exposing their environments to new risks, and they can support remote work and other initiatives that boost productivity and user satisfaction.
Key Zero-Trust Use Cases
Organizations are adopting zero-trust architecture in response to their changing IT environments. In particular, the security model is making a significant impact in these four areas.
Backup and Recovery
With ransomware continuing to pose one of the most daunting threats to organizations across industries, many cybersecurity leaders find that their data backups are a good place to begin their zero-trust efforts. Immutable storage, for instance, can help protect backups from external infiltration and insider threats.
Remote Work
Zero-trust architecture provides a secure experience whether a user is working in the office or from home. By verifying all access requests, zero-trust solutions ensure that remote work does not become an area of vulnerability for attackers to exploit.
Cloud Infrastructure
Sensitive data is increasingly stored across complex hybrid cloud and multicloud environments. A zero-trust model ensures that information is both securely stored and readily accessible to authorized users no matter where the data resides.
Internet of Things
For organizations leveraging smart sensors and other devices connected to the Internet of Things, zero-trust solutions can create a dynamic inventory of IoT devices and automate security health monitoring, leading to a lower risk of device compromise.
- ZERO-TRUST CHALLENGES
- ZERO-TRUST DEPLOYMENT
- BENEFITS OF ZERO TRUST
- KEY ZERO-TRUST USE CASES
Many leaders recognize the value of zero-trust architecture but are unsure how to implement, prioritize and budget for it. Expert partners such as CDW can help clarify ways to create a detailed strategy around established principles, where to begin building a strong foundation and how to incorporate existing security solutions.
DEMONSTRATE FULL IT VALUE: Leaders seeking support for zero-trust initiatives need to communicate their value. Some find this challenging because zero trust is an overarching philosophy rather than a clearly defined endeavor with a limited scope. In addition to stronger security, this approach simplifies network architecture and increases IT visibility, which leads to greater efficiency.
USE BIG-PICTURE BUDGETING: Creating accurate near-term and long-term budgets for zero-trust initiatives can be difficult when organizations are just getting started. Establishing an effective foundation may require additional investments but can also reduce technical debt as older technologies are retired. Generally, organizations can use existing tools and increase their efficacy within the zero-trust framework.
Click Below to Continue Reading
BUILD MATURITY OVER TIME: Organizations will need to align their zero-trust strategy with established guidance, setting a baseline for maturity and increasing capabilities over time. At the optimal level, organizations have the foundational components with advanced capabilities in place — people, processes and technologies — and know how to apply zero-trust principles consistently to new and changing environments.
FOCUS ON PRIORITY DOMAINS: Organizations may want to start with a specific domain, such as identity and access management — a prerequisite for zero-trust architecture. Without a solid method for establishing identity, organizations can’t move to the next step, which is configuring who should have access to what. These capabilities are defining features of a zero-trust environment.
FOLLOW THE RIGHT SEQUENCE: It can be difficult to achieve visibility across all data lifecycles, data sprawl and unstructured data, but organizations need a clear picture of the flow: where data lives, who accesses it and which systems talk to each other. Visibility and governance are essential to understanding risk in order to define and enforce the appropriate policies and standards.
Getting zero trust right requires understanding the relationship between strategic and tactical implementation. A strategic approach is essential. For example, organizations must mature their identity and access management and data governance capabilities individually before integrating them into a zero-trust approach. As organizations plan for and move through these processes, expert assessments can be extremely useful to evaluate security issues and facilitate conversations about connecting zero trust to business objectives.
The Cybersecurity and Infrastructure Security Agency (CISA) identifies five pillars on which to build a zero-trust strategy:
1
IDENTITY, including multifactor authentication, identity lifecycle management, visibility into user behavior analytics, identity and credential administration, and risk assessment
2
DEVICE, including configuration management, real-time threat analysis, asset tracking and patching
3
NETWORK/ENVIRONMENT, including macro- and microsegmentation, protocol encryption, machine learning–based threat protection, and Infrastructure as Code automation
4
APPLICATION WORKLOAD, such as continuous access authorization, application security testing, and dynamic application health and security monitoring
5
DATA, including classification, least-privilege access controls, end-to-end encryption, access logging, and immutable data backup and restore
Click Below to Continue Reading
As organizations establish secure access and integrate security tools, a maturity assessment can add clarity, structure and guidance to a zero-trust strategy.
SECURE ACCESS METHODOLOGY: Zero trust is based on the ability to establish and maintain authorized access to systems or applications, which means that an identity-focused process with multifactor authentication is just the first step.
Conditional access also reflects the dynamic approach that is key to zero trust. For example, if a user’s device hasn’t been updated to the latest operating system, the user could be denied access to certain applications. Likewise, access may be terminated if active threats are triggered from the user’s device or suspicious behavior alerts are tagged with the user’s identity in near real time.
Microsegmentation tools are central, supporting the creation of a least-privilege network by establishing a perimeter around every device. Microsegmentation yields visibility into system-to-system connections so organizations can begin to build segmentation rules and policies.
INTEGRATION STRATEGY: Moving to zero trust involves reassessing the existing environment to determine how key technologies and toolsets can be integrated and optimized. Organizations that have moved much of their infrastructure to the cloud generally find it much easier to implement zero trust, assuming that their staff have the necessary skills to do so. For example, teams should understand how applications are developed and published in the cloud so they can verify appropriate security before moving workloads into production.
On the other hand, organizations with traditional data center environments or operational technology environments will find it more challenging. As organizations progress in their zero-trust programs, there may be areas where it is not currently possible to achieve optimal maturity as defined by CISA.
RAPID ASSESSMENT SERVICES: CDW’s Rapid Zero Trust Maturity Assessment is a four-week engagement that measures an organization’s IT environment against CISA’s Zero Trust Maturity Model and five foundational pillars. We collaborate to develop a roadmap that helps drive the organization’s zero-trust strategy and prioritize cybersecurity projects. This includes actionable recommendations to effectively close gaps around people, processes and technology. The assessment also considers future goals and practices to ensure the recommendations have long-term viability and value.
Part of the roadmap is helping organizations determine which tools they can leverage, where gaps exist and how to begin tackling use cases with the capabilities on hand. To extend governance and visibility across the organization, zero trust requires a blend of the tactical — for example, understanding how sensitive applications work so they can be properly secured — and the strategic.
PRIORITIES AND ROADMAP: A maturity assessment can be a valuable way to build consensus among key stakeholders about priorities to target while instilling a cultural view that zero trust should be included in all future IT planning as an iterative philosophy.
Every organization must build a foundation, get the right tools in place and begin implementation where zero trust makes the most sense to ensure it has the most impact. However, each organization’s blueprint will be unique, which is why a customized roadmap can shorten the learning curve while saving time and money in the long run.
In addition to boosting overall security posture, zero-trust architecture can help organizations advance their IT and business objectives. With zero-trust investments, business and IT leaders can more effectively guide strategic cybersecurity spending, meet compliance requirements and boost business agility.
GUIDE STRATEGIC INVESTMENTS: Implementing a zero-trust security strategy requires organizations to streamline their investments, giving IT and business leaders a lens through which to view potential new solutions. This is especially important for organizations with significant technical debt. In such scenarios, leaders can sometimes become overwhelmed at the scope of the challenge in front of them and may not know where to start.
However, a zero-trust strategy creates an opportunity to leapfrog technical debt and make strategic investments that work together toward a common goal. In fact, cybersecurity leaders who build a zero-trust architecture may even find opportunities to repurpose their existing cybersecurity investments more effectively. By letting zero-trust principles guide their investments, organizations can avoid the pitfall of buying disparate, siloed solutions that may not achieve their objectives.
Click Below to Continue Reading
MEET COMPLIANCE REQUIREMENTS: Cybersecurity and compliance are distinct but related topics. Even a nascent zero-trust framework is likely to align with many of the mandates issued by regulatory bodies and industry groups, helping organizations simplify their path to compliance. According to one 2023 survey, 42 percent of cybersecurity leaders cite compliance with regulatory and industry mandates such as HIPAA, the European Union’s General Data Protection Regulation and the Payment Card Industry Data Security Standard as a key driver of their organization’s zero-trust strategy. In the survey, regulatory compliance ranked above other important drivers such as the desire to reduce insider threats and improve operational efficiency. Additionally, organizations that adopt a zero-trust security strategy may receive more favorable terms from cyber insurance providers, given their reduced risk profile.
ENHANCE BUSINESS AGILITY: A zero-trust strategy should be seen not only as a security framework but also as a business enabler. Zero-trust architecture can help organizations streamline the security measures they deploy to protect their data and allow them to focus on the business outcomes their IT systems deliver. In short, zero trust enables the sort of secure digital transformation that has become essential for organizations to stay relevant and competitive in their fields. With zero-trust solutions, enterprises can embrace emerging technologies such as artificial intelligence without exposing their environments to new risks, and they can support remote work and other initiatives that boost productivity and user satisfaction.
Key Zero-Trust Use Cases
Organizations are adopting zero-trust architecture in response to their changing IT environments. In particular, the security model is making a significant impact in these four areas.
Backup and Recovery
With ransomware continuing to pose one of the most daunting threats to organizations across industries, many cybersecurity leaders find that their data backups are a good place to begin their zero-trust efforts. Immutable storage, for instance, can help protect backups from external infiltration and insider threats.
Remote Work
Zero-trust architecture provides a secure experience whether a user is working in the office or from home. By verifying all access requests, zero-trust solutions ensure that remote work does not become an area of vulnerability for attackers to exploit.
Cloud Infrastructure
Sensitive data is increasingly stored across complex hybrid cloud and multicloud environments. A zero-trust model ensures that information is both securely stored and readily accessible to authorized users no matter where the data resides.
Internet of Things
For organizations leveraging smart sensors and other devices connected to the Internet of Things, zero-trust solutions can create a dynamic inventory of IoT devices and automate security health monitoring, leading to a lower risk of device compromise.
What are your next steps with zero trust? CDW’s Rapid Zero Trust Maturity Assessment can help you see the path.
