A lot has changed since Forrester coined the term “Zero Trust” over a decade ago. Specifically, the rapid adoption of the cloud and remote work has left a lot of organizations exposed and their data at risk.
We decided to go to the source and sat down with Forrester Analyst Heidi Shey to get answers to the following questions:
Complete the form above to get the answers to these questions and discover how to optimize the cloud while mitigating risk.
We recently hosted a webinar with guest speaker Heidi Shey of Forrester and are continuing the conversation in this Q&A.
Heidi’s research primarily focuses on data security and privacy strategy, skills development, policies, and related technology controls. She guides clients in applying a Zero Trust, data-centric approach to securing data, advising them in areas like sensitive data discovery and classification, data loss prevention, secure communications, and more. Her research coverage includes breach costs, eDiscovery, cyber insurance, and customer-facing breach notification and response. She also covers consumer security and SMB security market trends.
Forrester’s Zero Trust framework is not a new approach and is one of the top security models of choice for most organizations. Because this approach is a marathon instead of a sprint, it can take years to roll it out. Now, with the steady increase in cloud adoption, security teams are having to rework how this model applies to their cloud security strategy. Too often companies are using security models that prevent them from leveraging all of the benefits the cloud has to offer.
We sat down with Forrester Analyst Heidi Shey to ask the Zero Trust expert about applying this framework to the cloud, the most common mistakes and misconceptions, and how this model will evolve in the future.
The biggest misconception is that Zero Trust is all about network segmentation and firewalls. Zero Trust did start with the idea of the need to move away from a perimeter-centric approach to security and implicit trust of authenticated users. However, the control points go beyond network controls. Forrester's Zero Trust eXtended Model takes security control areas — including people, devices, workloads, networks, and data — and overlays them with visibility, automation, and orchestration. This means you’re working with an ecosystem with multiple pillars of control. This is what enables you to look at a broader context of people, device, network, and data attributes to assess and verify a request before granting the least amount of privileged access to data and resources.
Data security controls are one of the key pillars for Zero Trust, and it is a pillar that intersects with other pillars of control. That’s the idea, and what to strive for, where you have multiple controls for data that work together as a system rather than in separate silos. A data-centric approach here means that you 1) have clarity over what data you’re trying to protect and why, and 2) bring controls closer to the data itself. On this point about bringing controls closer to the data: ask if the control touches the data itself, or if the control point is somewhere else like a feature alongside device controls or network security technology.
Over the last several years, cloud has been one of the biggest drivers pushing organizations to take a Zero Trust approach to better protect and control their data, as well as meet (and often exceed) compliance requirements. Actions like establishing cloud governance processes, inventory and monitoring of cloud workloads, and use of cloud-native security and management solutions are all examples of areas that can be on an organization’s Zero Trust roadmap for securing workloads (in this case, cloud). Many companies also already use Zero Trust principles in cloud migrations – they’re just not calling it Zero Trust.
The key principles for Zero Trust should still hold: enabling least privilege, verifying access explicitly, and assuming that you are operating in a breached state. I think we’ll see more examples of Zero Trust approaches to securing IoT and OT environments, and more examples of Zero Trust architecture, and technology platforms that help to enable Zero Trust.
Zero Trust today is more mainstream in the US and Europe, with growing activity and planning around Zero Trust strategies in Asia Pacific. In 5 to 10 years time, I’d expect it to be a common concept and nomenclature in use globally.
The ease of use and scalability that makes the cloud so appealing means your enterprise data is more accessible to more users than ever before. Step one to applying Zero Trust to your cloud security strategy is understanding what data you have, what data is sensitive, who has access, and how it is being consumed. Once you are able to observe data consumption, you can begin to control it effectively. As Heidi mentions, establishing cloud governance policies that apply “least privilege” is critical to protecting data in the cloud. And finally, in order to evolve with the Zero Trust model, organizations must ensure they are using solutions that are built specifically for the cloud, and allow you to leverage all the benefits the cloud has to offer.