The irony of zero trust

Zero trust is one of cybersecurity’s least understood, yet most fashionable buzzwords. Looking back at the past few years, it’s easy to understand why. Today, trust is in short supply. From exponential increases in ransomware and cryptojacking attacks to looming geopolitical tensions, these are uncertain and alarming times – especially when it comes to running a business. So, it is no surprise that the concept of “zero trust” and its assumed implications speaks to a broad range of enterprises.

The irony is, zero trust is built, runs, and flourishes on trust itself.

So then, what exactly does “zero trust” mean?

While the drivers of cybersecurity’s current craze may be relatively new – from a pandemic-era boom in workforce distribution to a move towards hybrid cloud infrastructures – the term “zero trust” is not. First coined in 1994, the concept was later developed into a holistic security philosophy by former Forrester analyst John Kindervag and has previously made its rounds throughout the industry under the guise of "deny by default" or "never trust, always verify" policies.

Simply put, zero trust is a security strategy. More broadly, it’s an enterprise-wide security mindset, which considers all end-points and accounts as untrusted. Whereas other security systems – such the once-preferred perimeter philosophy – may only require location-based or two-factor authentication, with zero trust, users and applications are granted access only when and where they need it.

In other words, by denying access by default, a zero-trust approach enforces a dynamic and continuous system of verification for users and their devices. In our current climate, where data breaches are no longer a question of if but of when, zero trust enables enterprises to better protect data and minimize the potential impact of an attack, while also facilitating a more localized, rapid response.

Imagine that your enterprise’s network is a hotel in which room access is regulated via card key. Before, when visitors checked into this hotel – let’s call it the Perimeter Hotel – they’d go through a brief identity verification process before receiving their card key. With that card key in hand, they then had more or less free-reign, with access to every single room in the hotel, except for those that were specifically locked.

When visitors check into the Zero Trust Hotel, however, the situation is reversed. Even after the hotel’s much more thorough check-in process, the visitor’s card key no longer acts as an all-access pass. This time, every single door is locked to them, except for the ones that have been specifically unlocked. They may request access to some of those unlocked doors, but it will only be given at the point at which it becomes absolutely necessary.

In fact, at the Zero Trust hotel, the card key holds less power than even that. Here, visitors gain access by verifying who they are through many different factors – all significantly more precise that that little rectangle of plastic, so easily lost or stolen. This, in turn, saves the visitor the time of digging around in their luggage to find that pesky card key while also assuring them that the room they are entering is exactly the one that they need to be in.

Now, the hotel owner can sleep easy, knowing that their property is secure as possible, while still functioning as an operational business.

And herein lies zero trust’s greatest irony.

In order for a zero-trust architecture to work, an enterprise needs to be able to put absolute trust in the system itself. In other words, in the security frameworks – for verification, monitoring, and data storage – that comprise this comprehensive approach.

At Kyndryl, we like to think of zero trust as five integrated security pillars: identity, device, network, application, and data. In most enterprises, cybersecurity systems are siloed – with one department handling identity verifications, another end-point security, yet another firewall, and so on. With zero trust, security becomes a 360-degree, integrated system where communication and collaboration across these pillars or departments is key and identities, passwords, and network assets are centralized in trusted repositories.

Simple in theory, but significantly less so when it comes down to putting these practices in place.

Part of the difficulty is that zero trust requires a fundamental shift in the security mindset on an organizational level. The first step here is to stop conceptualizing this approach as a one-stop-shop policy or product. Instead, it should be understood as a dynamic and evolving security process, with no fixed end point.

This is one of the system’s greatest challenges. It is also, however, one of zero trust’s greatest advantages. By adopting this risk-based and adaptive policy, enterprises are empowered to build a set of security practices uniquely suited to their changing needs and goals. That’s why at Kyndryl, we take an individualized, phased approach to align zero trust with each enterprise’s individual risk profiles as well as with their other major IT transformation initiatives, focusing on what matters most to the security and future of the business.

In this fast-moving world, and these unsettling times, it can be difficult if not impossible to decide what and who to trust – and when. When it comes to cybersecurity, zero trust is the best answer we have for how to navigate those decisions.

To learn more about the Kyndryl approach to zero trust, listen to the first episode of The Progress Report podcast here.