The irony of zero trust

Zero trust is one of cybersecurity’s least understood, yet most trendy buzz phrases. Looking back at the past few years, one easily can understand why. Today, trust is in short supply. Given exponential increases in ransomware and cryptojacking attacks to increasing geopolitical tensions, these are tenuous times – especially when it comes to running a business. So, it’s no surprise that the concept of “zero trust” and its presumed implications speaks to a broad range of enterprises.

The irony is, to enable a zero trust framework, you have to have a highly-validated repository of identities, assets, applications, and networks upon which you can rely.

So what exactly is zero trust?

While the drivers of conversations about cybersecurity may have changed – from a pandemic-era boom in workforce distribution to a move towards hybrid cloud infrastructures – the term “zero trust” is not. First coined in 1994, the concept was later developed into a holistic security philosophy by former Forrester analyst John Kindervag. The term previously made rounds throughout the industry as “deny by default" or "never trust, always verify" policies.

Simply put, zero trust is a security strategy. More broadly, it’s an enterprise-wide security mindset, which considers all end-points and accounts as untrusted. Whereas other security systems – such the once-preferred perimeter philosophy – may only require location-based or two-factor authentication, with zero trust, users and applications are granted access only when and where they need it.

By denying access by default, a zero trust approach enforces a dynamic and continuous system of verification for users and their devices. In our current climate, where data breaches are no longer a question of if but of when, zero trust enables enterprises to better protect data and minimize the potential impact of an attack, while also facilitating a more localized, rapid response.

Perimeter hotel vs. zero trust hotel

Imagine that your enterprise’s network is a hotel in which room access is regulated via card key. Before, when visitors checked into this hotel – let’s call it the perimeter hotel – they’d go through a brief identity verification process before receiving their card key. With that card key in hand, they then had more or less free-reign, with access to every single room in the hotel, except for those that were specifically locked.

When visitors check into the zero trust hotel, however, the situation is reversed. Even after the hotel’s much more thorough check-in process, the visitor’s card key no longer acts as an all-access pass. This time, every single door is locked to them, except for the ones that have been specifically unlocked. They may request access to some of those unlocked doors, but it will only be given at the point at which it becomes absolutely necessary.

In fact, the zero trust hotel, the card key holds less power than even that. Here, visitors gain access by verifying who they are through many different factors – all significantly more precise that that little rectangle of plastic, so easily lost or stolen. This, in turn, saves the visitor the time of digging around in their luggage to find that pesky card key while also assuring them that the room they are entering is exactly the one that they need to be in.

Now, the hotel owner can rest easy, knowing their property is secure as possible and still operating as designed.

Herein lies the irony of zero trust

In order for a zero trust architecture to work, an enterprise must be able to rely on the aforementioned, highly-validated repository of identities, assets, applications, and networks. In other words, in the security frameworks – for verification, monitoring, and data storage – that comprise this comprehensive approach.

At Kyndryl, we like to think of zero trust as five integrated security pillars: identity, device, network, application, and data. In most enterprises, cybersecurity systems are siloed – with one department handling identity verifications, another end-point security, yet another firewall, and so on. With zero trust, security becomes a 360-degree, integrated system where communication and collaboration across these pillars or departments is key and identities, passwords, and network assets are centralized in trusted repositories.

Simple in theory—until it’s time to putting these practices in place

Part of the difficulty is that zero trust requires a fundamental shift in the security mindset on an organizational level. The first step here is to stop conceptualizing this approach as a one-stop-shop policy or product. Instead, it should be understood as a dynamic and evolving security process, with no fixed end point.

This is one of the system’s greatest challenges. It is also, however, one of zero trust’s greatest advantages. By adopting this risk-based and adaptive policy, enterprises are empowered to build a set of security practices uniquely suited to their changing needs and goals. That’s why at Kyndryl, we take an individualized, phased approach to align zero trust with each enterprise’s individual risk profiles as well as with their other major IT transformation initiatives, focusing on what matters most to the security and future of the business.

In this fast-moving world, and these unsettling times, it can be difficult if not impossible to decide what and who to trust – and when. When it comes to cybersecurity, zero trust is the best answer we have for how to navigate those decisions.

Click below to hear my Kyndryl colleagues and me discuss the how the changing threat landscape may impact your cybersecurity strategy.