Zero Trust Security: What you need to know

Jerry Leishman

November 16, 2021

Zero Trust is everywhere. It’s a topic of conversation at every board meeting, the agencies you work with frequently mention it, and you’re reading about it daily in Nextgov and Federal News Network.

The Zero Trust approach to cybersecurity isn’t a new concept — it was initially introduced in 2010 by a former analyst at Forrester Research. That analyst, John Kindervag, argued that security should be “built into [a company’s] DNA,” He introduced the concept of Zero Trust to lay the groundwork for helping companies of various shapes and sizes achieve precisely that.

This concept gained attention years later when it was included in NIST Special Publication (SP) 800-207. Most recently, it became an integral part of President Biden’s Executive Order on Improving the Nation’s Security and is now viewed as a critical strategy for securing our nation’s most sensitive data and keeping pace with our adversaries. Our President called upon government agencies and the organizations that support them to implement a Zero Trust model, with many federal agencies calling it the ‘new normal’ of security.

Here’s what you need to know about Zero Trust — what it is, why it’s essential, and the core principles behind it — as well as steps you can take today in an effort to begin implementing a Zero Trust approach to security in your own organization.

What is a Zero Trust approach?

A Zero Trust security model, simply put, is based on the idea that anything inside or outside an organization’s networks should never implicitly be trusted. It asserts that users, their devices, and your network components must continuously be monitored and verified before anyone or anything gains access to your organization’s environment.

This approach starkly contrasts with the traditional “trust but verify” method of many IT and security teams, where analysts and network administrators are taught to primarily defend against outside threats, such as clever attackers or nation-state actors attempting to disrupt our nation’s supply chain with a ransomware attack. 

Why is Zero Trust important?

A Zero Trust approach to security is your best defense against internal and external threats, especially in our new cloud-first, work-from-anywhere world. 

Zero Trust embraces the idea that the continuous monitoring of your infrastructure, apps, and endpoints — combined with the implementation of preventative technologies that authenticate and verify your users wherever and whenever they log into your systems — is essential to creating a strong security program that stops adversaries in their tracks and ultimately protects our nation and freedom.

It also assumes that breaches are inevitable, and with good reason. For most companies, it’s no longer a matter of if they’ll be compromised but when they’ll be hacked. A breach doesn’t have to be high profile to impact an organization or our nation’s security negatively: Even an outdated software application in need of patching can pose a risk. 

What are the three main concepts of Zero Trust?

There are three basic principles of Zero Trust:

  • Never trust a source and always verify. No user or device should be trusted until their identity is verified. Before anything or anyone gains access to your network, their identity should be authenticated and validated, and they should be given the least amount of permissions necessary to perform whatever task they need to execute.
  • Act as if there’s already been a breach. When your security team operates with this mindset, you get in the habit of consistently looking around corners in your organization and monitoring continuously for potential threats. Revisiting your organization’s incident response (IR) plan — and even executing an IR tabletop exercise to pressure test it — is a great way to get your team thinking in this manner.
  • Verify everything continuously. The “set it and forget it” approach of granting access to a user or device once and only once is no longer sufficient. Instead, Zero Trust mandates continuous verification, with access being granted or denied based on the context of when and where that access is being requested. 

How to get started with Zero Trust security

There isn’t an easy button for implementing a Zero Trust approach to security throughout your organization.

But there are several things you can do to understand better how well you’re protected today and which components of your security posture could be improved.

  • Take inventory of your infrastructure, applications, and endpoints. Fully understanding the breadth and depth of your attack surface is essential to protecting and defending your environment. Catalog every place that data lives in your environment, and make particular notes of where sensitive information is stored.
  • Ensure you have preventative measures in place. Multi-factor authentication (MFA) and identity and access management (IAM) tools are good places to start. Beyond technology, begin to think about education programs you may need to implement throughout the organization to promote strong security practices among your employees.
  • Monitor continuously. Continuous monitoring of your infrastructure, apps, and endpoints is the only way to give your team the best possible chance of stopping an attacker in their tracks; it’s also essential for investigating and remediating an incident if an attacker does breach your networks. If you don’t have the resources within your organization to conduct adequate monitoring today, consider outsourcing the responsibility to an MSSP or MDR. At CORTAC Group, we’ve helped many organizations find the right MSSP or MDR for their needs — we’d be happy to guide you through that same process.  

Work with a trusted partner to implement a Zero Trust model

President Biden’s recent executive order is just one of many steps that demonstrates the government’s commitment to strengthening cybersecurity among federal agencies and the organizations that serve them.

At CORTAC Group, we regularly customize programs for our customers to help them mature their security operations. We not only have an internal drive for security compliance, but we have deep expertise and a shared vision in assisting federal agencies in achieving their security goals to protect our country better.

We’d love to share more about how we’ve helped other executives just like you implement Zero Trust security models within their organizations. Send us your questions and comments — we look forward to the conversation. Learn more about our cybersecurity and compliance programs.