Vote for Zero Trust early and often

Zero trust IT for cybersecurity purists describes an architecture under which no user, application, or machine connected to a network can be trusted until proven otherwise. As defined by the National Institute of Standards and Technology (NIST), zero trust IT describes an “evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.” As such, no implicit trust is granted to assets or users based solely on their physical or network location or asset ownership.

Most cybersecurity professionals realize that’s not necessarily a new idea. Forrester Research analyst John Kindervag is credited with popularizing the term in 2010, but the concept itself can be traced back as far as 2004. Today, however, zero trust IT has evolved into something that is more akin to a campaign slogan. Just about every organization today is moving toward embracing some type of zero-trust architecture. The U.S. Department of Defense (DoD) just published a 37-page report outlining its vision for achieving zero-trust IT goals in the year ahead. Anyone looking to define a similar cybersecurity strategy for their organization could simply copy and paste much of this report.

Of course, that’s where a certain level of zero-trust IT cynicism starts to creep in. There isn’t a provider of a cybersecurity platform or service today that doesn’t describe their offering in some way as enabling cybersecurity professionals to advance zero-trust IT goals. Given the overall current state of cybersecurity, it’s easy to see why all those promises might be met with doubt and misgivings.

However, that natural tendency toward skepticism may be missing the larger point. One of the biggest issues that have long challenged cybersecurity professionals is a lack of support from senior management. Cybersecurity has historically been viewed as a cost to be minimized, usually by spending just enough to comply with whatever mandates are absolutely required. Zero trust IT, on the other hand, provides a catch-all phrase that business leaders can more easily wrap their minds around. Rather than simply achieving compliance, the goal now is to truly lock down an IT environment. As such, the willingness to allocate budget dollars to cybersecurity even during an economic downturn is arguably higher now than ever. The rise of ransomware, of course, plays no small part in that change of attitude.

Business executives, as usual, are not especially interested in how zero-trust IT goals will be achieved. It’s, as always, all about the outcome for them. IT professionals, meanwhile, will sagely nod their heads at the mention of zero trust, even though many of them are not precisely sure what’s involved. What matters most from a cybersecurity perspective is that all the stakeholders involved are buying into the concept. It’s always fashionable to show some disdain toward the latest buzzword or catchphrase, but in this case, the zero-trust IT campaign isn’t really aimed at cybersecurity professionals. From their perspective, zero-trust IT is little more than an extension of a well-understood defense-in-depth approach to cybersecurity. The difference now is more than just cybersecurity professionals are participating in the conversation.

All slogans, of course, eventually ring hollow. However, cybersecurity professionals would be well advised to launch their own zero-trust IT campaign while the phrase is still in vogue if for no other reason than it makes it simpler to invest in the next generation of cybersecurity technologies that will be sorely needed to continue the good fight on behalf of those that don’t always understand, much less appreciate, what exactly is required.