What is zero trust security?

Zero trust security means starting from “No”—designing security controls that have no implicit trust. In essence, assuming you have been breached.

This is in direct opposition to today's broad assumption that if you are on a trusted corporate network (physically connected in an office or remotely via VPN), you should be trusted to access any application, server or other infrastructure.

The remote work spurred by the COVID-19 pandemic showed us that too often, this assumption can get organizations in trouble. Supply chain breaches such as the recent SolarWinds hack are only one example. Coupled with the fact that corporate network boundaries are disappearing, it's no surprise that the need for organizations to move towards zero trust security has accelerated.

Why zero trust?

A zero trust approach allows organizations to move away from the castle and moat approach. Rather, it enables access decisions based on the context of the transaction, including factors such as the identity of the user, classification of data being accessed, the security profile of the device, the network, the application, and the authenticators used.

Because authentication and authorization is a continuous process, zero trust unlocks new business value, including:

• Flexibility in devices, thus enabling a true bring-your-own-device approach.
• Flexible location and deployment, with the ability to access applications outside traditional network boundaries. This flexibility extends to deployment of applications and data outside of enterprise boundaries.
• The use of 'appropriate friction,' meaning that when trust is high, low-friction authentication can be employed. But when trust is low (for example, if the transaction is high risk and/or the device is unknown), strong authentication will automatically be employed. When trust falls below predefined limits, transactions will be denied.
• Reduced reliance on point solutions: As the threat landscape changes, zero trust requires a baseline level of security.

The importance of identity in a zero trust environment

Building a zero trust architecture requires having excellent identity data, appropriately provisioned entitlements, as well as standardized authentication and authorization enforcement.

Many organizations have taken a decentralized approach to identity and access management, allowing various lines of business to build their own controls. Unfortunately, this leads to duplicative access enforcement systems. Zero trust takes a more uniform, enterprise-wide approach, thus providing visibility—and enforcement—of access policies. This means improved security and compliance.

Let's say, for example, that your sales department needs access to Salesforce. In this case:

• You should know who is in your sales department.
• Your network devices should ensure that traffic going to Salesforce comes from a device belonging to someone in the sales department.
• Your authentication solution should validate that authenticated users are from sales.
• Salesforce should be configured to only allow people from the sales organization.
• You may also want to enforce step-up authentication if the user is authenticating from a new device. For example, requesting the user provide a one-time password sent to a known device.
• These policies should be continually evaluated for every interaction, as context changes, such as device, location, network and identity data.

State of technology

Implementing zero trust is a cross-discipline exercise covering identity, access management and infrastructure security. There is no single technology that can cover all requirements. Access policies may be enforced in access management solutions, privileged access tools, network infrastructure, API gateways, cloud platforms and even within application code.

Getting started

To get started on the zero trust journey, organizations should:

• Identify policy enforcement points and policy engines for access decisions. Where are access decisions made today? How are endpoints monitored? Is there an opportunity for consolidation? Are there gaps that need to be remediated?
• Understand policy information points. What data is available for making access decisions? Is identity data accurate, real-time, and complete? Is there sufficient data to make informed decisions – threat feeds, device intelligence, SIEM?
• Pinpoint deployment patterns. What applications, servers, databases, infrastructure and other resources will require different approaches to protect?
• Know your data. Where is business critical data? What level of trust is required?
• Develop a risk-based roadmap. Implementing zero trust is a journey. What are the most critical assets? Do we have accurate identity data? What cleanup needs to occur?

Our own journey

Zero trust is an evolving concept that Accenture has been implementing for almost two decades. For more on what we learned, where we're taking the concept and the technology and how it fits with cloud, check out this CSO Online interview with our CISO, Kris Burkhardt.

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this article is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

Copyright © 2021 Accenture. All rights reserved.