With the acceleration of remote working and employee use of personal devices for business purposes, enterprises need to develop a Zero Trust strategy to defend against threats. ISACA’s new paper, Zero Trust: How to Beat Adversaries at Their Own Game, describes the Zero Trust principle and outlines benefits for securing enterprises of all sizes against cybersecurity threats.
Zero Trust: How to Beat Adversaries at Their Own Game delves into the mechanisms hackers typically employ to gain insider access to networks and describes how they move within them to carry out ransomware and other cyberattacks, and explains how a Zero Trust approach defends against those threats.
There are capabilities common to all enterprises, regardless of size, to enable Zero Trust, including:
- Good identity and access management: bad passwords and compromised usernames are among the most commonly exploited weaknesses that allow a breach to take place. The application of solid identity and access management control across all access requests drastically reduces an attacker’s ability to find and exploit weaknesses.
- A software-defined perimeter instead of virtual private networking (VPN): Virtual private networking essentially provides a direct pipe for an adversary to exploit in order to maneuver into the infrastructure core. The VPN, which by its very nature invalidates a Zero Trust strategy, should ultimately be eliminated in any enterprise that seeks to improve its defensive posture.
- Use of the cloud: Cloud infrastructure allows the segmentation and isolation required to enable Zero Trust controls and minimize lateral movement of an adversary within a system.
- Use of device posture health checking: With bring-your-own-device (BYOD) commonplace and post-pandemic employee desires for workplace flexibility, it is necessary to employ a device health-checking capability to determine whether a user's personal device, which in truth functions as a corporate device, is unpatched or compromised before allowing it to access a corporate network.
Adopting a Zero Trust strategy benefits both the business and the users. One of the most significant business benefits of Zero Trust is the reduction in overall cost and expenditures that accompanies an accurate and well-focused defensive posture whereby enterprises identify and eliminate duplicative or insufficient partial solutions. Another benefit a Zero Trust infrastructure offers to users is that they are less encumbered by security as part of their daily job. In a Zero Trust ecosystem, users are empowered with the tools and technologies necessary to enable secure transactions with limited role-based access.
Zero Trust: How to Beat Adversaries at Their Own Game is available here.