Zero Trust comes up in nearly every conversation among IT security professionals today—and yet, the concept is still somewhat enigmatic. While it’s clear that Zero Trust will be central to many organizations’ digital transformation strategy in the coming months, there’s still a lot of mixed messaging about what, exactly, it entails and why it’s so critical.
“Zero Trust is a very hyped buzzword—it’s kind of [positioned] as a magic pill,” said Mark Lynd, head of digital business for technology solutions and services provider Netsync, in a recent Q&A session at Dell Technologies World 2023. “But when I talk to customers, I get a lot of questions about how to start.”
Lynd isn’t alone in fielding such queries. According to Dell’s Innovation Index, a survey of more than 6,600 business and IT decision-makers, a full 77% of respondents have yet to explore a Zero Trust architecture. Perhaps relatedly, only 38% say they are securing edge hardware, applications and data “extremely well.” Day after day, media headlines seem to detail yet another cyber security breach, and hackers don’t discriminate. Every industry and facet of business is susceptible.
Part of the reason for the rise of Zero Trust is that we’ve seen a significant paradigm shift in IT architectures in recent years, said Herb Kelsey, industry chief technology officer, government and Project Fort Zero lead at Dell Technologies, in conversation with Lynd. “Securing the perimeter” is much more complicated in a world in which multicloud, hybrid environments, IoT and artificial intelligence/machine learning (AI/ML) at the edge reign supreme.
“We’ve learned that no matter how hard we strengthen our perimeter defenses, attackers are going to get in,” he said, elaborating that the first assumption of Zero Trust is that people have already breached your system. “That [assumption] also takes care of insiders who have gone rogue.”
What is Zero Trust—and what isn’t it?
A Zero Trust security model flips the traditional “trust, then verify” adage on its head. Instead, it advocates “never trust, always verify,” challenging organizations not to implicitly trust any user, device or network, whether internal or external.
The framework is specifically designed for decentralized environments, offering next-generation protection for the multicloud era. “Zero Trust, with its incremental approach to validating devices and users, is much better suited to the modern environment that people are computing in,” said Kelsey, noting that “microsegmentation” is a key component of the security strategy. “If I go into an environment and I’m locked in a closet, I can’t do too much damage except to what’s in that closet.”
In previous articles on the topic, Kelsey has enumerated the seven pillars of the United States. Department of Defense’s Zero Trust strategy: Users, Devices, Applications & Workloads, Data, Network & Environment, Automation & Orchestration, and Visibility & Analytics. These form the backbone of a resilient IT environment—but many organizations often think about them in siloes, which significantly impedes Zero Trust’s effectiveness.
“You have to integrate products across each pillar,” said Kelsey. “Many organizations start in the User pillar. As an attacker, I’m going to say ‘Thank you,’ for that, because if you haven’t protected your data or segmented your networks, you’ve just given me free rein.”
Kelsey’s emphasis on a more holistic, comprehensive approach to Zero Trust echoes recommendations by trusted institutions, including the United States Department of Defense (DoD). In the Q&A, Kelsey noted that such guidance has long been an integral part of IT ecosystems around the globe. “The U.S. government today puts out encryption standards, and we all use them,” he said, citing AES 5256, a cryptographic algorithm validation program, as an example. “When the government defines it, everybody uses it. I think Zero Trust is going to enter into that space.”
One thing that Zero Trust is not, noted Lynd—despite how it’s been billed—is a panacea. It’s also not a technology that’s easily integrated overnight. In fact, a robust Zero Trust architecture is the outcome of a meticulous, measured process. “Fundamentally understanding where you’re going to start is important,” he emphasized.
Taking practical steps toward Zero Trust
In their Dell Technologies World discussion, Kelsey and Lynd alluded to a four-step process for organizations interested in exploring Zero Trust, including:
- Assessing the current state of and mapping existing controls.
- Defining policies and establishing strong Identity and Access Management (IAM).
- Deploying microsegmentation.
- Continuously monitoring, logging and adjusting programming as needed.
When it comes to the first step, Kelsey pointed out that “assessing” isn’t all about evaluating technological capabilities. “The most effective assessments [involve] making sure you’ve got all of the requirements satisfied, from an organizational standpoint, to be able to implement the solutions.” For instance: Do you have inventories of both users and devices? Do you understand how you want to start to segment the network? “These are all things that you want to do in preparation,” Kelsey said. He also stressed the importance of prioritizing adequate testing and documentation frameworks—via an independent third party- that examines each of the 152 activities required by the DoD to reach an “advanced” level of trust.
One of the ways in which organizations can begin to adopt Zero Trust so as not to disrupt operations—or create barriers to other innovation, a concern for 95% of IT decision-makers according to the Dell Innovation Index—is to migrate workloads to the new system. “Make sure that your users are comfortable, that you understand the device scope that needs to be identified as part of the Zero Trust environment, and then move your workloads in one at a time,” suggested Kelsey. “That way, you’re getting protection for your most critical assets and data, but you’re also not disrupting your current operations.”
He also noted that collaborating across vendors and partners in a verified ecosystem, like Dell’s Zero Trust Center of Excellence, is a key element of success. “When you’re looking to reach a validated environment, we’re way beyond what any single vendor can do,” said Kelsey, adding that each of the more than 30 partners working with Dell in the Center of Excellence contributes something unique and necessary.
Lynd reiterated the idea that third-party validation “becomes really critical” for organizations trying to go about Zero Trust effectively. “When we talk to customers, the idea of having [a validated solution] gives them a lot of comfort within the c-suite,” said Kelsey.
Ultimately, Zero Trust is a journey, concluded Kelsey—but it’s one with a destination. “That’s a validated environment,” he said. “We need to make sure that we’re keeping up with any technology changes incrementally so we can provide that [guidance] to our customers as they occur.”
The session in its entirety can be viewed below.
Click here to learn more about the benefits of Zero Trust.