Insight

Everyone can embrace “zero trust”

The perimeter-less cyber security model is a promising design for the evolving threat environment

Deepak Mathur

Deepak Mathur

Managing Director, Cyber Security Services, KPMG US

+1 408-367-7676

Digital assets and users can’t be trusted based solely on their physical or network locations anymore. That’s the zero trust approach to cyber security design, an architecture or set of principles around which a growing number of organizations are restructuring cyber defenses. In fact, the zero trust security market is expected to register a CAGR of 18 percent by 2026.1

Zero trust meets the moment

Globally, all companies are responding to trends accelerated by COVID-19 shutdowns, including the mass migration to remote work, a massive surge in ransomware attacks, bring-your-own-device practices, and the proliferation of cloud-delivered applications.

These trends allow bad actors to exploit holes in security, driven in great part by the fast pace of digital transformation. Over the last five years, a distributed ecosystem of data and workloads arose while the more traditional security perimeter began to dissolve. As individual assets became harder to protect, the frequency and scope of cyber attacks multiplied, including several high-profile hacks impacting customers and damaging company reputations. By 2025, global cybercrime damages are expected to reach $10.5 trillion USD annually.2

With a zero trust approach, companies build a defense that is “perimeter-less,” with protection and trust measures for every aspect of that ecosystem, including assets, workloads and other resources.

The federal government put its own stamp of approval on the zero trust concept. A May 2021 executive order on improving U.S. cyber security stated the need for government to “advance toward Zero Trust Architecture” to modernize its approach, another great motivator for both public and private companies to do the same.3

Planning a transition

Organizations don’t have to flip a switch on zero trust, they can introduce its principles gradually and use it in a hybrid manner, as many are likely to do until their application and services portfolios become modernized. As organizations begin the process, they should:

1. Consider establishing a zero trust center of excellence (COE).

So many functions can be impacted by a breach and play a role in securing the organization, the stakeholder group for planning and implementing a zero trust model should expand well beyond the security team. Identity, networking, application development, end point technology, enterprise architecture and cloud COE leaders are a few of the important members of a zero trust COE.

The COE should develop a specific zero trust definition for the company and key principles, baseline the current state posture, and define a roadmap of adoption and priority. This should include a maturity curve on zero trust to clearly communicate north star goals on a quarter-by-quarter basis.

Expect the COE to be very active the first two or three years of the transformation journey. Once the company begins to roll out a zero trust-focused design, the COE can oversee the measurement of progress against goals and continue to set the direction for adoption.

2. Don’t start with the solutions.

Determine what needs improvement and which zero trust components make sense by asking a few key questions:

  • How do you validate security?
  • Who can access information and why?
  • How do you enforce access?
  • How do you enable trust internally today?
  • How is the workforce changing?
  • How is your application portfolio changing?

3. Think through the big-ticket topics.

  • Opportunities for segmentation and microsegmentation of your ecosystem
  • Adoption of the principle of least privilege
  • Monitoring and visibility of traffic across segments, i.e. east west (app/workload to app/workload within data center or cloud) and north south (user to app/workload)
  • Consolidation and standardization of end-point services and devices

4. Tailor the scope and speed of implementation to your organization’s maturity level.

For example, large organizations and those in digitally advanced or highly regulated industries may be a step ahead, with measures such as multi-factor identification and network segmentation already in place. Their next move could be improving visibility and threat intel by investing in a “single pane of glass” solution to better monitor their ecosystem.

Other organizations, including those within the same company, may not be able to fully embrace zero trust due to their structure, services offered, use of air gap, etc. However, they can still build an on-ramp to zero trust and improve their security posture by applying the components that work for them.

Zero trust is for everyone

Zero trust can help companies solve their emerging cyber security challenges, but it also can serve two other important roles: alleviating many of the security problems organizations faced historically, as well as limiting the blast radius of a breach should one occur.

It is ok if every segment of your company cannot adopt zero trust completely as of now, you just need to find the on-ramp to get started. Given the flexibility of the model and its implementation, organizations can develop the right solution to meet their current needs, with plenty of opportunity to adapt in the future.

Footnotes

  1. Research and Markets, “Zero Trust Security Market - Growth, Trends, COVID-19 Impact, and Forecasts (2021 - 2026)” (July 2021)
  2. Cybersecurity Ventures, “Cybercrime To Cost The World $10.5 Trillion Annually By 2025” (November 13, 2020)
  3. Executive Order 14028, “Executive Order on Improving the Nation’s Cybersecurity” (May 12, 2021)