We are beyond the point of viewing Zero Trust as a simple marketing feature for information technology or cybersecurity companies. It is a floor for any technology vendor who wants to provide high-value solutions to government or commercial customers.
Before getting into the details, let’s first settle on what we mean by Zero Trust. In 2017, Forrester’s Stephanie Balaouras provided what has become a common definition within the industry:
“A conceptual and architectural model for how security teams should redesign networks into secure microperimeters, increase data security through obfuscation techniques, limit the risks associated with excessive user privileges, and dramatically improve security detection and response through analytics and automation.”
Here are five major reasons why businesses should build Zero Trust networks and vendors should develop solutions that enable Zero Trust networks.
- Government customers will mandate Zero Trust capability
President Biden’s 2021 Executive Order on Improving the Nation’s Cybersecurity directs federal agencies to advance toward Zero Trust architectures for their own enterprise networks. Why does that matter to industry? First, the U.S. government is the largest buyer of IT solutions; the order essentially means that a massive enterprise customer will look for its commercial vendors to build Zero Trust networks.
Second, a prime contractor that is selling into the government and commercial companies might want to streamline its operations and buy only those solutions that meet the needs of its most critical government customers. Basically, a big prime contractor might want only Zero Trust-capable solutions.
- Zero Trust enables compliance with data privacy rules
Because Zero Trust is ultimately about maintaining control over data, it also enables compliance with requirements centered around data protection. Two such requirements that come to mind are the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
While these laws have their differences, both require covered companies to collect, store, and process data under strict guidelines. A company that is subject to GDPR, CCPA, or both would benefit from implementing Zero Trust as part of its compliance regime to ensure that only certain persons and systems can access and handle covered data.
- Zero Trust as a framework is poised to grow in importance
As noted in point one, Zero Trust is not just about government customers; commercial customers also care about it. This has been evident for many years in the financial services and healthcare industries, whose networks manage vast amounts of highly sensitive data.
The expected growth in connected devices, particularly autonomous vehicles and possibly remote surgery, will increase the need and demand for Zero Trust. These use cases mean that lives will depend on making sure that only the most privileged users and systems have authorized and authenticated access to critical networks and data. Continuous verification of privilege is going to be the norm for these situations.
- Business leaders are recommending that the government incentivize Zero Trust for non-federal networks
In early 2022, the Department of Homeland Security’s (DHS) National Security Telecommunications Advisory Committee (NSTAC), a group of over a dozen business leaders, recommended that the government incentivize non-federal adoption of Zero Trust. Specifically, they recommended that the government develop best practices for implementing Zero Trust, condition federal IT grant funding to state and local governments on demonstrating Zero Trust adherence, and make Zero Trust compliance a mitigating factor for liability if regulated entities violate federal data protection requirements.
- Zero Trust is not difficult
Admittedly, the idea of Zero Trust seems overwhelming. It comes across as necessitating a complete network overhaul. As Juniper Networks has previously noted in the white paper “The Rise of Zero Trust,” Zero Trust does not have to be difficult for companies to implement. Zero Trust policies can be developed, deployed, and enforced across a network from a centralized system; this assumes, of course, that the customer has a network management platform that interoperates with all the solutions in its multivendor network.
There are many reasons to implement Zero Trust principles, but the fact is that government entities are beginning to incentivize and compel adoption. This is encouraging because we all know that we must fundamentally change how we secure our networks to change the dynamics when it comes to organizations versus attackers. We also know that there are usually laggards when it comes to adopting new things, especially in the technology realm. However, all organizations are inextricably connected in one way or another, and we need each other to be more secure in order to reduce the advantage that attackers have today.