11 Dec 2023
by Nick Ismail

The evolution of Zero Trust: From network access to critical enterprise resources

Guest blog by Nicholas Ismail, Global Head of Brand Journalism at HCLTech

Zero trust is a security framework that requires all users, whether internal or external, to be continuously authenticated and authorized on an organization’s network. It works on the premise that no device and no user behind the device should be trusted.

“Never trust and always verify,” confirms Prashant Mascarenhas, Vice President - Cybersecurity & GRC Services at HCLTech, speaking at RSA conference.

Fundamentally, the zero-trust model means that the identities of the users are always verified and authenticated at every layer of different enterprise resources, without creating friction in the organization and while reducing risk.

“From an evolution standpoint, zero-trust is at a point of controlling application and data access— critical enterprise resources,” says Mascarenhas.

With this evolution, the framework is now gaining significant traction, with Gartner predicting that by 2026, 10% of large enterprises will have a mature and measurable zero-trust program in place, up from less than 1% today.

The focus now is on how organizations can embed and implement an effective zero-trust framework.

Embedding a zero-trust framework

The first step in embedding an enterprise-wide zero-trust framework is to establish a zero-trust strategy that balances frictionless work and risk mitigation. According to Gartner, this should be led by the Chief Information Security Officer (CISO) and risk management leaders.

Crucially, it shouldn’t be forgotten that the foundation of zero-trust is identity. To effectively ensure controlled network and now application and data access, Mascarenhas recommends implementing a “strong identity access management architecture, which will help organizations move away from traditional role-based access models to attribute-based access models that can be used to make contextually relevant decisions”.

At the same time, he says that at the network layer, “organizations should shift from traditional network access controls to policy based remote access and device context-based policies, which can be applied on the network in real time”.

He adds: “Static policies can be broken, but dynamic policies, which are computed using attributes coming out of telemetric data from the network and applications can drive a higher level of security with the end aim of protecting data.”

In deciding where to implement the first rollout of zero-trust, Gartner recommends protecting the most critical assets, as this will yield the greatest return on risk mitigation.

It should be noted that zero-trust doesn’t represent a silver bullet. It’s a crucial component of developing a holistic cybersecurity strategy and key in helping reduce risk, but it must be combined with other threat detection technologies and frameworks.

The cybersecurity mesh

Gartner has referred to the future of security architecture as the cybersecurity mesh. This emerging architecture aims to consolidate all composable and distributed security tools to reduce complexity and improve an organization’s overall cybersecurity posture.

“The cybersecurity mesh incorporates individual security technologies and integrates them together for a unified policy across the entire landscape,” says Mascarenhas.

In this consolidated environment, zero-trust enables organizations to take network, application and data access controls and apply them across the entire landscape, including the devices, policies and tools that are being brought together under the cybersecurity mesh.

Read the original blog here


Cyber Security Programme

The Cyber Security Programme provides a channel for our industry to engage with commercial and government partners to support growth in this vital sector, which underpins and enables all organisations. The programme brings together industry and government to overcome the joint challenges the sector faces and to pursue key opportunities to ensure the UK remains a leading cyber nation, including on issues such as the developing threat, bridging the skills gap and secure-by-design.

Learn more

Join techUK's Cyber Security SME Forum

Our new group will keep techUK members updated on the latest news and views from across the Cyber security landscape. The group will also spotlight events and engagement opportunities for members to get involved in.

Join here

Cyber Security updates

Sign-up to get the latest updates and opportunities from our Cyber Security programme.

 

 

 

Authors

Nick Ismail

Nick Ismail

Global Head of Brand, HCLTech

Nick Ismail is the Global Head of Brand Journalism at HCLTech. He is responsible for delivering the editorial and content strategy. He previously spent 6 years leading the content for Information Age, a B2B technology publication headquartered in London.