EDITOR'S PICK
Oct 3, 2024
There is a right way and a wrong way to do zero trust. Here's the difference.
It's not surprising that many traditional firewall and VPN companies have claimed to embrace zero trust. They are afraid of disruption. Zscaler Founder and CEO (and my boss), Jay Chaudhry, talks about it all the time. But as we head into Cybersecurity Awareness Month, sharing trustworthy ideas with leaders in a position to influence the course of cybersecurity evolution in their organizations and beyond is the best thing I can do as a leader during this pivotal time. Especially if it could help spread accurate information to hundreds of thousands of knowledge workers or more, who over the long run, could relay their improved and secure user experiences to colleagues who can then practice or at least be aware of proper, modern cyber hygiene and culture.
One of the biggest ironies in our market today is when what appears to be the right solution to a problem is a hidden contributor to the problem. Many organizations are playing catch-up when it comes to adopting more advanced cybersecurity strategies, and they know that zero trust is a proven method. Gartner, for example, expects more than 60% to adopt zero trust principles by the end of the year.
Rather than taking the right steps to advance, some vendors ignore a key prerequisite and its implications: envisioning all of their users as untrusted (not personally), all devices untrusted, and all branches untrusted. All of this infrastructure is out there somewhere, all over the world possibly, and everything simply connects to the internet. This reality changes the traditional network and security mode which depends on firewalls and VPNs, which our competitors are trying to sell you more of.
Legacy devices are now a liability as they cannot effectively manage modern threats and complexities. Firewalls and VPNs, even in the cloud, have an attack surface. Threat actors can easily discover their IP addresses and use them as initial vectors of compromise. Vulnerabilities in these devices, whether in the cloud or on-prem, are frequently used as beachheads from which to compromise entire organizations.
Leaders should be adopting a security framework that goes beyond traditional perimeter-based security to verify the identity and security posture of every user and device accessing the network. By doing so, they can reduce the attack surface and prevent lateral movement. But are these aspects transformative in themselves? Of course not. The true business value is eye-opening. First, consider what you can jettison with cloud-native zero trust:
5 things you can replace with one cloud-based zero trust architecture
Second, with all of the above functionally combined in a mature, cloud-based inline security cloud integrated with proper identity and endpoint management systems, the result is greater security and simplicity that reduces business risk, cuts costs, streamlines operations, and improves agility.
Third, add traffic from SaaS, IoT/OT devices, and connections with your partners and suppliers. Now you have a single system that gives you complete cyber risk management, simplified operations, and better overall security wrapped in business intelligence.
That’s really it in a nutshell. But, make no mistake, it is easier said than done. A deep understanding of zero trust principles, processes, and strategies helps but through companies like Zscaler, our partners, and organizations like CSA, NIST, CISA, and DOD, there is a lot of support to help you carve a path to safeguarding our infrastructures and ensure we maintain a strong cybersecurity and resilience posture that can adapt to evolving technologies. The key is for all of us to build awareness among industry experts, leading enterprises, service providers, government entities, related non-profits, and other organizations about the right way to do zero trust.
What to read next
Recommended