• The Zero-Trust model has been widely recognized as an effective approach to prevent data breaches and mitigate the risk of supply chain attacks.
  • Now is the time to embrace Zero-Trust, as the pandemic accelerates adoption of Cloud and remote working technologies, and businesses grapple with more stringent regulation.
  • There is no silver bullet product and no unique way to implement Zero-Trust; it requires a layered security approach that covers the entire digital infrastructure.

The concept of Zero-Trust has been around for a while. While this model has been widely recognized as an effective approach to prevent data breaches and mitigate the risk of supply chain attacks, its adoption across the private and public sectors has been slow and inconsistent. This is about to change.

It was in 2003 that the Jericho Forum, a security consortium, defined some of the earliest work on what we now call Zero-Trust, whose basic principle is that we shouldn’t trust anyone or anything just because it’s inside the organization’s perimeter.

Forrester later established the Zero-Trust model in 2011, which was centred around the guiding principle “Never Trust, always verify”, and the recognition that perimeter firewalls are no longer sufficient to protect business secrets and assets.

Several organizations such as Google or Microsoft established methodologies to implement and operationalise it, but until now it has yet to be widely adopted. So why is now the time to embrace Zero-Trust and learn the lessons from others who have been on this journey?

Image: World Wide Technology

A pivotal moment to embrace the Zero-Trust model

First, the COVID-19 pandemic has accelerated the adoption of Cloud and remote working technologies, further transforming the attack surface as well as complexity and interdependency across the digital supply chain. The old castle-and-moat mentality focused on protecting the perimeter is no longer viable.

Second, businesses are grappling with more stringent regulations and increasing pressure to improve data privacy.

Third, government policies and executive orders such as the one executed in May by the Biden administration will enforce the Zero-Trust model to address the growing number of malicious campaigns that threaten the public and private sectors, as well as the security, privacy and ultimately the livelihood of individuals.

Learnings from recent attacks that impacted the Colonial Pipeline or JBS meat packing company underscore how organizations must consider implications that can impact the broader ecosystem and society.

Image: Statista

Where do we go from here?

It is important to recognize that there is no silver bullet product and no unique way to implement Zero-Trust. It requires a layered security approach that covers the entire digital infrastructure, legacy and modern systems, with a focus on having the adequate controls where the user accesses digital resources and a reduced reliance on perimeter security.

While there are no commonly accepted definitions for Zero-Trust, these tenets below are recognized as essential to implement a Zero-Trust strategic roadmap:

Tenet 1: Be consistent on how you authenticate and authorize any users and digital resources, including any computing and data resources inside and outside the organization. This tenet assumes that the digital architecture, users and all resources owned by an organization are well understood and documented. Apply a Just-In-Time access mechanism to authenticate positively a request at the time it is made without assuming a request is authentic because of a past certificate.

Tenet 2: Secure all communications irrespective of the network location using encryption and multi-form authentication technologies, to ensure that the data being carried always remains protected.

Tenet 3: Apply access based on the principle of least privilege, relying on better situational awareness on the users, applications and devices being used and accessed, as well as environmental and behavioural attributes. Deploy a just-enough access mechanism based on real-time dynamic policies, which ensures that only the access needed is provided and only for the duration of the request.

Tenet 4: Monitor and verify explicitly the security posture and integrity of all digital resources, including personal devices which may be used to access certain corporate applications. The collection of the necessary information on the current state, health and posture of assets, based on multi-attributes data points, including user identity, user MFA, location, day and time, device authentication, device health, service or workload, data classification, and anomalies. This increased situational awareness will ultimately help improve access decisions.

Tenet 5: Always refer to the guiding principles “Never trust, always verify” and “assume breach”. Such an approach will help focus on minimizing the damage caused by a data breach or cyberattack as much as preventing it.

While the implementation of these tenets can be complex, they have proven to be very effective at preventing cyberattacks and advanced tactics used by cyber-malicious actors. It is best practice to focus on the most critical data and digital resources when implementing these tenets and necessary access policies.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum's Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. We are an independent and impartial global platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors. We bridge the gap between cybersecurity experts and decision makers at the highest levels to reinforce the importance of cybersecurity as a key strategic priority.

Our community has three key priorities:

Strengthening Global Cooperation - to increase global cooperation between public and private stakeholders to foster a collective response to cybercrime and address key security challenges posed by barriers to cooperation.

Understanding Future Networks and Technology - to identify cybersecurity challenges and opportunities posed by new technologies, and accelerate forward-looking solutions.

Building Cyber Resilience - to develop and amplify scalable solutions to accelerate the adoption of best practices and increase cyber resilience.

Initiatives include building a partnership to address the global cyber enforcement gap through improving the efficiency and effectiveness of public-private collaboration in cybercrime investigations; equipping business decision makers and cybersecurity leaders with the tools necessary to govern cyber risks, protect business assets and investments from the impact of cyber-attacks; and enhancing cyber resilience across key industry sectors such as electricity, aviation and oil & gas. We also promote mission aligned initiatives championed by our partner organizations.

The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace which aims to ensure digital peace and security which encourages signatories to protect individuals and infrastructure, to protect intellectual property, to cooperate in defense, and refrain from doing harm.

For more information, please contact us.

The road to Zero-Trust will be different for every organization. And while the end-state may never be reached, everyone can begin the journey and start adopting these key tenets.

Like any other transformational initiatives, it will require a robust understanding of the different Zero-Trust approaches and associated mechanisms, as well as a thorough assessment of the organizational readiness, business benefits and capabilities needed to maximize the operational outcome.