Build cyber resilience with zero-trust frameworks

Zero trust is a security framework that requires continuous verification for every user and device trying to access resources, regardless of their location. While traditional security models rely on perimeter defences, which can be more easily breached, zero trust enforces strict access controls and continuous monitoring to better protect against modern security challenges.

Zero trust helps organizations prevent multivariable attacks. As such, a choice not to incorporate zero trust is a choice to leave your organization more vulnerable. For example, in the event of a ransomware attack, without zero trust, malware propagates through a network due to a lack of segmentation. Similarly, without zero trust, malicious insiders can exploit their trusted birthright and privileged access to do things they shouldn’t.

Advancements in technology, cloud computing, remote work and the evolving threat landscape have made zero trust increasingly practical. Frameworks and guidelines from organizations like the National Institute of Standards and Technology (NIST) have also contributed to its adoption. Zero trust enables organizations to meet increasingly rigorous compliance requirements, such as the General Data Protection Regulation (GDPR) and Personal Information Protection and Electronic Documents Act (PIPEDA).

Zero trust isn’t just a technology deployment—it’s a transformation to become future-ready that involves people, processes and technology. The principles of zero trust help organizations protect what matters most, including digital crown jewels, client trust and brand integrity. They reduce the risk and impact of ransomware attacks and data breaches by protecting against vectors such as insider threats, lateral movement, compromised credentials, phishing, unauthorized remote access, device compromises, and supply chain and third-party access risks.

In our recent Global Digital Trust InsightsOpens in a new window survey, we found only 2% of respondents globally have implemented cyber resilience actions across their organization. Zero trust is a critical tool to help organizations strengthen their cyber resilience in a way traditional network security strategies simply cannot. To begin this journey, CISOs need to understand the principles of zero trust and how they can be integrated into their organization’s core cybersecurity strategy.

Less than half of executive respondents to our survey (both globally and in Canada) say their CISO is involved to a large extent in strategic planning, board reporting and overseeing tech deployments. However, when moving towards zero trust, communication across the C-suite and from the CISO level down on why the organization needs to adopt these principles is essential.

Zero trust creates an ecosystem, and people and processes must be aligned. Involving the C-suite and leadership in the zero-trust planning and implementation process helps make sure the initiative receives the necessary support and resources and fosters a culture of security. This collaboration enhances client and brand trust by demonstrating a commitment to robust security measures, and it also enables the organization to innovate with less risk.

The following are the top five considerations for CISOs ready to reconsider traditional security methodologies and adopt a zero-trust strategy.

1. Establish identity and access management as the core

The concept of identity-based perimeter is at the heart of a zero-trust strategy. Organizations must enforce least privilege by continuously authenticating each access request, including those from third parties, based on contextual information and monitoring of user activity patterns. Key actions include the following:

• Verify users by implementing multi-factor authentication (MFA) and passwordless authentication

• Apply the concept of least-privilege access to allow or deny access to resources based on a combination of contextual factors across identity, network, data, device and application

• Continuously verify user and device identity based on risk factors, and make access decisions based on a risk score

2. Develop comprehensive visibility and analytics

For each access request, organizations must understand context by analyzing events, activities and behaviours and leverage artificial intelligence (AI). The goal is to achieve a model that improves detection and reaction speed in making real-time access decisions. Key actions include the following

• Achieve real-time visibility into users, devices and applications
• Use AI-driven security analytics to detect anomalies and potential threats
• Use AI to monitor and analyze encrypted and unencrypted network traffic
• Implement logging and monitoring across cloud, on-premises and hybrid environments

3. Deploy microsegmentation and least privilege

Microsegmentation isolates critical workloads and applications from unauthorized access. However, it can be challenging to implement, as it’s difficult to define access policies across multiple environments and map dependencies between applications, users and services. In addition, most legacy systems haven’t been designed for microsegmentation. Key actions include the following:

• Use automated network discovery tools to map dependencies and define segmentation policies gradually
• Implement policy automation tools to streamline rule enforcement
• Deploy network detection and response tools for real-time visibility and anomaly detection
• Implement continuous monitoring tools to automate compliance checks

4. Enforce strong device and endpoint security

CISOs should implement tools to monitor, detect and remediate malicious activity on devices by integrating network-wide visibility and defence orchestration capabilities. Key actions include the following:

• Mandate device posture checks before granting access
• Implement endpoint detection and response (EDR) and extended detection and response (XDR)
• Continuously monitor and enforce compliance on both managed and unmanaged devices

5. Leverage continuous verification and adaptive policies

The organization should use adaptive policy control methods. These methods automatically adjust based on real-time risks in the environment and automate security responses based on defined processes and security policies enabled by AI to take blocking actions and force remediations. Key actions include the following:

• Transition from a static, perimeter-based model to a dynamic, risk-based approach

• Use adaptive policies that adjust based on real-time risk signals

• Continuously evaluate trust levels with automated threat intelligence and behaviour analysis

As with any other large-scale transformation, there can be significant organizational barriers to overcome when implementing zero trust. Challenges we often see include organization inertia, cost and project scope. To make a zero-trust implementation a success, all stakeholders, including the board, should be involved and aligned about the principles and how changes will impact processes and resources on top of their day-to-day responsibilities.

Zero trust is often best implemented in phases, starting with high-risk areas and gradually expanding to the entire organization. An approach like this allows for a more manageable and cost-effective implementation. CISOs should take advantage of existing resources and investments before allocating new budgets for zero trust. This includes using current tools and technologies to support zero-trust principles and integrating them into the overall security architecture. 

CISOs must also make sure security criteria are part of any procurement process. When sharing critical organizational data with any third-party vendor, it’s important that the vendor follows the zero-trust architecture to maintain cybersecurity posture.

As they continue their journey towards zero trust, CISOs should prioritize measuring return on investment through clear key performance indicators and metrics. The goal is to track progress and the footprint of those capabilities to make sure investments align with business objectives and deliver tangible benefits. 

Assess your organization’s zero-trust controls

There are many different zero-trust controls organizations can task their red teams with testing. In the identity and access management domain, KPIs include MFA adoption rate, privileged access management effectiveness, identity verification success rate and number of failed login attempts and inactive or orphaned accounts. 

In the device security domain, KPIs include number of unmanaged devices, as well as rates of endpoint compliance, device posture assessment success and vulnerable device detection. In the network and microsegmentation domain, KPIs include unapproved lateral movement attempts, segmentation policy compliance, encrypted traffic volume and zero-trust policy enforcement rate.

In the application and data security domain, KPIs include data loss prevention incidents and rates of IT detection, access request denial and successful phishing attempts. In the threat detection and response domain, KPIs include mean times to detect and respond, as well as incident false positive and insider threat detection rates. And in the user behaviour and awareness domain, KPIs include phishing simulation success, user security training completion and anomalous behaviour detection rates.