Cybersecurity and data protection have quickly become top boardroom priorities for UAE businesses, with a recent Gartner survey forecasting that IT spending in the MENA region is set to grow by 3.1 percent in 2023.
C-suite leaders who were not previously responsible for security are increasingly being tasked with ensuring data breaches—including ransomware attacks—and their expensive price tags do not jeopardise their organisations. As pressure builds, they are wisely looking to experts for guidance, many of whom are external consultants and other similar industry experts.
These specialists often provide checklists and best practices for what is most important in cyber security and their lists often boil complex IT concepts down into easy-to-digest soundbites—marketing copy usually based on the latest buzzwords. In this regard, one particularly widely misused and especially problematic buzzword is ‘zero trust’.
Zero trust is not a new concept, but the term is now being used in many different ways and contexts, for everything from product and company names to broader technology categories and functionality—it is everywhere.
With all this use and, frankly, misuse, the true meaning has become blurred and confused. A particularly troublesome misconception is that zero trust can be bought or downloaded as a single product. This marketing is wrong and misleading.
In reality, zero trust is not simply a product or service—it is a mindset that, in its simplest form, is about not trusting any devices—or users—by default, even if they are inside the corporate network. Zero trust encompasses many technologies, products, practices and features that need to be built into not only products and services, but company-wide culture and processes.
What is most concerning about the confusing use and misuse of zero trust, including productising the term, is how it tends to make companies think their data is safe because they have implemented a “zero trust” product, when, in fact, they are still extremely vulnerable because a single product or solution alone does not equal a zero-trust posture.
Here is what organisations must actually do to implement a zero-trust charter:
- Organisation-wide commitment – Departments across the entire organisation must agree on priorities and parameters and align on access and security policies. Every single connection—from data to users and devices to applications, workloads and networks—must be designed with a zero-trust strategy and must have the ability to evolve as needed.
- Cross-functional leadership – Create a dedicated cross-functional zero trust team tasked with planning and implementing a zero-trust migration. This team must include members from application and data security, identity governance and network and infrastructure security, but should also involve other areas of IT, too. The team should do regular inventory assessments to guide governance and enforcement, which requires full support from leadership.
- Process and policy – Ensure the right processes and procedures are in place for identity governance. Another crucial element in this vein is limiting access to backups, especially backups of business-critical data, and strategically assigning access only to groups that need it.
- Training and culture building – Make it easy and transparent for all employees to get educated and informed. Require zero-trust training for all employees, partners and vendors so the mindset is set across the entire organisation and value chain.
- Product and tool alignment – Look for technology that has the zero-trust concept built into every part of its platform rather than tacking “zero trust” on as a feature or benefit. The technology you need helps monitor access, privilege controls and systems hardening, and provides complete visibility through mechanisms like micro-segmentation and device access controls.
- Monitor and maintain – Regularly review and refine your zero-trust strategy—never forget that it has to be an iterative process.
As with any industry trend, we will undoubtedly continue to see zero trust used and misused in many contexts. To reiterate, a true zero-trust posture cannot come from a single product or solution, even if it is marketed that way. In reality, zero trust is an ongoing iterative process based on the principles outlined here that must always be evolving.