We recently hosted a webinar with guest speaker Heidi Shey of Forrester and are continuing the conversation in this Q&A.
Forrester Analyst, Principal Analyst Serving Security & Risk Professionals
Heidi’s research primarily focuses on data security and privacy strategy, skills development, policies, and related technology controls. She guides clients in applying a Zero Trust, data-centric approach to securing data, advising them in areas like sensitive data discovery and classification, data loss prevention, secure communications, and more. Her research coverage includes breach costs, eDiscovery, cyber insurance, and customer-facing breach notification and response. She also covers consumer security and SMB security market trends.
Forrester’s Zero Trust framework is not a new approach and is one of the top security models of choice for most organizations. Because this approach is a marathon instead of a sprint, it can take years to roll it out. Now, with the steady increase in cloud adoption, security teams are having to rework how this model applies to their cloud security strategy. Too often companies are using security models that prevent them from leveraging all of the benefits the cloud has to offer.
We sat down with Forrester Analyst Heidi Shey to ask the Zero Trust expert about applying this framework to the cloud, the most common mistakes and misconceptions, and how this model will evolve in the future.
1. What is the biggest misconception about Zero Trust?
The biggest misconception is that Zero Trust is all about network segmentation and firewalls. Zero Trust did start with the idea of the need to move away from a perimeter-centric approach to security and implicit trust of authenticated users. However, the control points go beyond network controls. Forrester's Zero Trust eXtended Model takes security control areas — including people, devices, workloads, networks, and data — and overlays them with visibility, automation, and orchestration. This means you’re working with an ecosystem with multiple pillars of control. This is what enables you to look at a broader context of people, device, network, and data attributes to assess and verify a request before granting the least amount of privileged access to data and resources.
2. What are the most common mistakes that companies make when following a Zero Trust Model?
Two common mistakes:
- Lacking a plan. Zero Trust isn’t a tool or technology that you implement and are done. It’s an end state to strive towards for your environment, with incremental progress and steps that you take as a part of that journey. There will be interdependencies with other security, IT, and business projects. To create your own roadmap and help to get support and buy-in from your organization, you’ll need to first have an understanding of what Zero Trust is, determine your baseline of capabilities and current Zero Trust maturity, identify where you have gaps, before defining next steps.
- Underestimating the impact of culture. Acceptability of technical security controls like data loss prevention, user behavioral analytics, or privileged identity management varies by country. In locales like France, Germany, and the Netherlands, standards of corporate governance emphasize employee participation and workers’ councils may restrict monitoring of employee actions and systems use. Regulations like GDPR which define personal information broadly may also hamper monitoring.
3. Historically, Zero Trust focused on identity access along with network & endpoint security. What role does data security play in Zero Trust?
Data security controls are one of the key pillars for Zero Trust, and it is a pillar that intersects with other pillars of control. That’s the idea, and what to strive for, where you have multiple controls for data that work together as a system rather than in separate silos. A data-centric approach here means that you 1) have clarity over what data you’re trying to protect and why, and 2) bring controls closer to the data itself. On this point about bringing controls closer to the data: ask if the control touches the data itself, or if the control point is somewhere else like a feature alongside device controls or network security technology.
4. How has the cloud impacted zero trust?
Over the last several years, cloud has been one of the biggest drivers pushing organizations to take a Zero Trust approach to better protect and control their data, as well as meet (and often exceed) compliance requirements. Actions like establishing cloud governance processes, inventory and monitoring of cloud workloads, and use of cloud-native security and management solutions are all examples of areas that can be on an organization’s Zero Trust roadmap for securing workloads (in this case, cloud). Many companies also already use Zero Trust principles in cloud migrations – they’re just not calling it Zero Trust.
5. Where do you see Zero Trust in 5 year? 10 years?
The key principles for Zero Trust should still hold: enabling least privilege, verifying access explicitly, and assuming that you are operating in a breached state. I think we’ll see more examples of Zero Trust approaches to securing IoT and OT environments, and more examples of Zero Trust architecture, and technology platforms that help to enable Zero Trust.
Zero Trust today is more mainstream in the US and Europe, with growing activity and planning around Zero Trust strategies in Asia Pacific. In 5 to 10 years time, I’d expect it to be a common concept and nomenclature in use globally.
The ease of use and scalability that makes the cloud so appealing means your enterprise data is more accessible to more users than ever before. Step one to applying Zero Trust to your cloud security strategy is understanding what data you have, what data is sensitive, who has access, and how it is being consumed. Once you are able to observe data consumption, you can begin to control it effectively. As Heidi mentions, establishing cloud governance policies that apply “least privilege” is critical to protecting data in the cloud. And finally, in order to evolve with the Zero Trust model, organizations must ensure they are using solutions that are built specifically for the cloud, and allow you to leverage all the benefits the cloud has to offer.