Embracing New Business Frontiers with Zero Trust Security

By 
Deepak Mathur
November 23, 2022

The Zero Trust security model has been gaining traction in the light of the recent cybersecurity attacks, and for good reason. Zero Trust is a security concept grounded in the belief that it is best never to trust anyone, inside or outside an organization’s network without verification. 

As opposed to conventional security systems such as Virtual Private Networks (VPNs), the Zero Trust security system is a more robust option to counter modern network security challenges (ransomware attacks, hybrid cloud environments, and secure remote access) by premising itself on the ‘better safe than sorry’ adage. 

With enterprises moving over to a cloud-native and containerized world, it’s no longer a choice but an urgent requirement because the need of the hour is to:

  • Secure CI/CD pipelines
  • Slash costs and complexity
  • Gain more visibility and control
  • Support compliance requirements 

Also, the Zero Trust security model is built to align with NIST guidelines like continuous verification, stringent authentication and user id segmentation, and automate data collection from the complete IT stack. Here are the 3 basic principles and functions behind the zero trust architecture:

  • Identify: The core of Zero Trust security lies in the statement, ‘never trust, always verify’, a sharp departure from the ‘trust but verify’ of traditional security systems. The foundation of the model assumes a potential breach and thus trusts no users, devices, or credentials at face value. A good zero trust plan starts out with mapping out the current environment  and making a checklist of all the devices, data, networks, etc.
  • Assess: The Zero Trust model mandates a deep assessment of every user, device, and interactions to plan stringent verification and authentication procedures 
  • Secure: The third principle seeks to remove the implicit trust that is characteristic of traditional security systems by securing the network through granular access controls and monitoring 

So, how do you set up a Zero Trust framework in your organization?

Set up identity and access management  processes 

Identity and access management (IAM) functions like MFA, SSO, risk-based authentication and so on are one of the most critical aspects of the zero trust architecture. 

For instance, building a universal directory through a single sign-on (SSO) is critical to managing user role access across a wide range of roles (customers, contractors, employees, partners). 

Implement microsegmentation

With microsegmentation you will be partitioning networks and forming boundaries around resources to enforce network security. This means you configure perimeters and permissions at the workload and application level to create secure zones within network traffic. This reduces the attack surface considerably.

Craft detailed policies

Traditional security principles no longer work efficiently. That applies to the organization’s policies as well. A successful implementation comes down to well-defined policies aligned with business goals that can be used to configure and implement security tools across the company.

Continuously monitor

Detecting, preventing, and securing need to be done on a continuous basis to anticipate potential threats and be responsive in real time. 

The takeaway

Gartner’s Distinguished VP Analyst Neil MacDonald puts it well. “Zero trust is a way of thinking, not a specific technology or architecture. It’s really about zero implicit trust, as that’s what we want to get rid of.” 

And it looks like organizations are listening. A Gartner’s report shows that the total spending on Zero Trust security models will grow from US$820 million in 2022 to US$1.674 billion by 2025, at an exponential CAGR of 26%. 

Are you listening too? 

Deepak Mathur
Partner at KPMG LLP