Important Considerations as Zero Trust Gains Momentum

The adoption of zero-trust network architecture got a boost in May 2021 when President Joe Biden issued an executive order that requires federal agencies to adopt zero trust as a best practice for cybersecurity. The importance of this order extends far beyond the government, as federal adoption establishes zero trust as an effective approach to security.  

What kind of impact will this have? A recent report from the Cloud Security Alliance stated that 60 percent of organizations plan to implement zero trust over the next two years. 

A zero-trust approach to security removes the need for implicit trust in systems so that requests for access are validated regardless of the location of the requester or the data being requested. As organizations consider how they can implement this approach, they should keep several important ideas in mind.

Viewing zero trust purely as an architectural model isn’t very helpful, as such a perspective suggests that there’s a beginning and an end to this approach that can be achieved by deploying certain technologies. It’s more useful to think about zero trust as a journey through which organizations can achieve higher levels of maturity along the way in service of security, regulatory compliance and business objectives.

Organizations also should consider the usefulness of cybersecurity mesh as a concept. This strategy views each device as securing its own perimeter and aligns well with zero trust. As technologies such as cloud computing and mobile computing continue to decentralize data and applications, a cybersecurity mesh approach can help organizations deploy a zero-trust architecture. 

Another important concept for organizations looking to implement zero trust or improve their architectures is security orchestration, automation and response. SOAR tools automate a number of critical security functions and can simplify an organization’s efforts under zero trust.

Several important public organizations have issued guidance on zero trust in recent years. These efforts establish standards and practices that can help organizations better understand their progress on zero trust.

For example, the Cybersecurity and Infrastructure Security Agency (CISA) published its Zero Trust Maturity Model in September 2021. The model sets out five pillars (identity, device, network and environment, application workload, and data) upon which an organization can build out a zero-trust architecture.

Similarly, the National Institute of Standards and Technology (NIST) in August 2020 released its own publication on zero-trust architecture. NIST produced the document to help organizations gain a better understanding of zero trust and provide a roadmap they can use to implement its security concepts. The publication provides deployment models and use cases in which zero trust can improve an organization’s security posture.

Going forward, the National Cybersecurity Center of Excellence, which includes security experts from government, industry and academia, is working on new guidance on implementing a zero -trust architecture. The goal of the effort is to reduce the complexity of zero-trust deployments and provide detailed advice on how organizations across a variety of industries can deploy zero-trust principles.

As adoption of zero trust grows, the guidance provided in expert documents will become increasingly important. Organizations also will need to pay close attention to zero-trust principles to meet the demands of cyber insurance providers. Breaches are becoming increasingly costly, and insurance providers are demanding that organizations implement security controls such as multifactor authentication and extended detection and response solutions to improve the effectiveness of their cybersecurity efforts. 

Further, many organizations are shifting toward processes that improve agility and the speed of business. This trend will drive the increased adoption of zero trust because it enables businesses to operate in highly agile work environments. It will also require organizational leaders to tie their security and business efforts together.

CDW offers numerous services to help organizations implement zero trust. CDW experts can assess the maturity of organizations’ efforts against standards such as those from CISA and NIST. By measuring this progress against an organization’s business objectives, CDW can create a roadmap for improvement. These services also help prioritize cybersecurity efforts by assessing how business goals may be affected by security vulnerabilities, ultimately helping organizations improve their cybersecurity posture.

Story by Buck Bell, who leads CDW’s Global Security Strategy Office. He brings 20-plus years of experience in cybersecurity and risk management to the role. Prior to CDW’s acquisition of Focal Point Data Risk, Buck served as executive vice president of Focal Point’s Technology Integration division, leading efforts on identity and access management (IAM), data analytics, SIEM and elements of cloud security. Before joining Focal Point, Buck led IAM Consulting at Optiv Security, where he led a team of 110 across consulting, PMO and India Operations. These experiences have given him insight into all aspects of the risks and opportunities CISOs and security leaders encounter in delivering speed and value to business objectives.