Q&A: What is zero trust security and why do you need it?

As incredible AI growth intersects with near-universal hybrid or multi-cloud computing and software-as-a-service usage, there is no longer a meaningful ‘inside’ or ‘outside’ of an organization’s network. What was once deployed on a single server is now operated in hundreds of containers or microservices across the globe. The attack surface is too large and disparate to protect with any overarching security barrier.

With IT leaders believing cyberattacks are most likely to come from malicious actors using AI to automate attack processes (41%)¹ or an organization’s own employees (31%)¹, they need to protect against ‘trusted’ users as well as untrusted. So how can organizations protect data that resides behind barriers that seemingly no longer exist from potential malicious actors who already have legitimate access?

Zero trust architecture provides a solution. Below, we explore the crucial role it plays in achieving the levels of security IT leaders across every industry seek in this new world.

• What is zero trust, and why is it needed?
  Zero trust is a cybersecurity model that stands in contrast to traditional perimeter-based security. Where perimeter security protects the outer ‘wall’ of an organization’s network and trusts users once they’re inside, zero trust eliminates implicit trust in users or assets. That means it requires verification for every access request as everyone is treated as a potential malicious actor by default.
  
  As businesses increasingly shift workloads to complex cloud environments, traditional perimeter-based security would require an increasingly—and unfeasibly—large wall to protect data. Zero trust, on the other hand, proves endlessly scalable, as users undergo continual, yet seamless, verification no matter how often they successfully request access.
  
  
• How does zero trust achieve its goals?
  Zero trust uses three principles to protect environments:
  1. Least-privilege access: Access is restricted to only what is essential at the right time. This prevents lateral movement through, and unauthorized access to the rest of the network.
  2.  Verify explicitly: Instead of previous ‘trust but verify’ approaches, zero trust verifies every access attempt based on all available data points, using identity and access management (IAM) context and adaptive multi-factor authentication (MFA).
  3. Assume breach: By assuming breaches will happen, zero trust minimizes the attack surface and blast radius by prioritizing detection, response, and rapid recovery.
      
• Won’t IAM and MFA negatively affect user experience, impacting productivity?
  The right zero trust setup will provide users with a single sign-on, and your organization with a continual stream of feedback on who they are, what they’re doing, and their endpoints’ security postures. This enables constant, real-time risk assessment across your network that won’t prevent users from doing what they legitimately need to do while enforcing your security policies.
  
  
• What is zero trust data resilience (ZTDR)?
  ZTDR extends the principles of zero trust security into an organization’s backup and recovery infrastructure. Its key features include immutable backup, which protects backup data from modification or deletion; separation of backup software and backup storage to minimize attack surfaces and potential blast radius (i.e., affected parts of the system); and the 3-2-1 backup rule, where you store three copies of data on two different types of media, with one copy stored off-site. By adhering to ZTDR, organizations can reliably and quickly recover clean data whenever an outage occurs, and whatever its cause.
  
  
• What does implementing a zero trust model look like?
  Making the shift to zero trust needn’t take a ‘rip and replace’ approach; you can achieve implementation incrementally. A basic outline could look as follows:
  1. Define your attack surface: Identify and locate which areas are at risk of attack.
  2. Implement controls: Use a network access control (NAC) system to monitor who and what is trying to access your network.
  3. Set permissions: Do so on a granular basis to establish what least-privilege access looks like for users in every instance.
  4. Enable IAM and adaptive MFA: These are the hands-on controls that check users to enforce least-privilege access permissions.
  5. Validate all endpoint devices: Doing so lets you better identify access requests from devices external to your organization.

Zero trust is a vital tool for protecting your environment and data in an increasingly borderless digital world. By removing trust in all who access your systems, you can trust that those systems stay secure. While it may sound like a daunting task to implement a new security framework across your entire digital estate, it needn’t be. A great place to begin is by discovering Hitachi Vantara and Veeam’s zero trust abilities in our whitepaper, available here.

Source: Hitachi Vantara, ‘State of Data Infrastructure Global Report 2024 – How AI is Shifting Data’s Foundation.’