Zero Trust is not a product

31 March 2022

Zero Trust is not a product

Assuming that no-one, nowhere can be trusted by default, Zero Trust greatly reduces the likelihood of a security breach, plus it limits the impact should someone slip through your defences.

It’s clear that the future of work is distributed and the ability to work from the office, home or anywhere in between is here to stay. Decoupling productivity from proximity has granted distributed teams powerful new ways of collaborating, but this shouldn’t come at the expense of security.

“Simply put, Zero Trust means acting as if an attacker is already in your enterprise network”

Kevin Bloch – Founder Bloch Advisory

Sometimes referred to as the software-defined perimeter, Zero Trust Network Architecture is an identity-driven approach to security. It focuses less on where you are and more on who you are and what you’re doing.

Zero Trust is not a product, but rather a philosophy. By default, it denies access to a network, applications and data – even from within the office – rather than assuming that the user or device can be trusted, says Kevin Bloch – ​​former Cisco ANZ Chief Technology Officer and founder of corporate technology advisory firm Bloch Advisory.

“Simply put, Zero Trust means acting as if an attacker is already in your enterprise network,” Bloch told Orro’s recent ‘Serious SASE’ virtual fireside event.

This approach greatly improves security posture and risk management. Should a breach occur, Zero Trust significantly limits the impact by taking a granular and segmented approach to security, which is not possible using traditional access solutions like VPN.

“Zero Trust can also minimise business disruption in the event of a security incident,” Bloch says.

“When you’re already challenging the identity, authority and purpose of every user and device – rather than giving them the benefit of the doubt – it’s easier to keep the lights on and keep serving your customers in the event of a breach.”

Zero Trust is a “mindset” with regards to how organisations design, build, secure, operate and maintain their environment, says Robert De Nicolo – Director of Cybersecurity at Cisco Systems, ANZ.

“For me, Zero Trust is about verifying and validating identity to control access, plus it’s about enforcing policy,” De Nicolo says. “Then it’s about monitoring the context of connectivity, so that you can make changes to that control during the life of the connectivity.”

“Put simply, don’t trust anything trying to connect to your network until you’ve been able to verify and validate – deny access by default.”

Data breaches cost Australian companies an average of $3.7 million per incident, according to IBM. Those organisations which adopted a Zero Trust security approach were better positioned to deal with data breaches – reducing the cost of an average data breach by 40 per cent.

Zero Trust is clearly the way of the future, with 60 per cent of enterprises predicted to phase out the use of VPN in favour of ZTNA by 2023, according to Gartner.

“Zero Trust is a “mindset” with regards to how organisations design, build, secure, operate and maintain their environment”

Robert De Nicolo – Director of Cybersecurity at Cisco Systems, ANZ

Along with Software Defined WAN (SD-WAN), Zero Trust is a cornerstone of Secure Access Service Edge (SASE). This is an approach which takes security out to the edge, rather than assuming that the office walls are the network perimeter.

According to the Ponemon Institute’s global survey “The State of SD-WAN, SASE and Zero Trust Security Architectures”, 49 per cent of respondents say their organisations either have or will deploy SASE architectures. The figure is 57 per cent for Zero Trust and 45 per cent for SD-WAN.

Implementing Zero Trust as a replacement for relying on VPNs has been a high priority for organisations during the pandemic, says Cris Bailiff – CTO, Cyber Services at secure network and digital infrastructure provider Orro.

“VPNs create a secure tunnel back into the internal office network but, once people are in, it can be difficult to apply granular security controls,” Bailiff says.

“If you take the concepts of SD-WAN and the SASE to the limit, you don’t have an ‘internal’ network anymore, so instead you rely on Zero Trust – which applies far more robust identity-based security, regardless of where your people are.”

Get In Touch With Orro Today

Share the post on