What is zero trust security?
September 15, 2021
Zero trust security means starting from “No”—designing security controls that have no implicit trust. In essence, assuming you have been breached.
This is in direct opposition to today's broad assumption that if you are on a trusted corporate network (physically connected in an office or remotely via VPN), you should be trusted to access any application, server or other infrastructure.
The remote work spurred by the COVID-19 pandemic showed us that too often, this assumption can get organizations in trouble. Supply chain breaches such as the recent SolarWinds hack are only one example. Coupled with the fact that corporate network boundaries are disappearing, it's no surprise that the need for organizations to move towards zero trust security has accelerated.
A zero trust approach allows organizations to move away from the castle and moat approach. Rather, it enables access decisions based on the context of the transaction, including factors such as the identity of the user, classification of data being accessed, the security profile of the device, the network, the application, and the authenticators used.
Because authentication and authorization is a continuous process, zero trust unlocks new business value, including:
Building a zero trust architecture requires having excellent identity data, appropriately provisioned entitlements, as well as standardized authentication and authorization enforcement.
Many organizations have taken a decentralized approach to identity and access management, allowing various lines of business to build their own controls. Unfortunately, this leads to duplicative access enforcement systems. Zero trust takes a more uniform, enterprise-wide approach, thus providing visibility—and enforcement—of access policies. This means improved security and compliance.
Let's say, for example, that your sales department needs access to Salesforce. In this case:
Implementing zero trust is a cross-discipline exercise covering identity, access management and infrastructure security. There is no single technology that can cover all requirements. Access policies may be enforced in access management solutions, privileged access tools, network infrastructure, API gateways, cloud platforms and even within application code.
To get started on the zero trust journey, organizations should:
Zero trust is an evolving concept that Accenture has been implementing for almost two decades. For more on what we learned, where we're taking the concept and the technology and how it fits with cloud, check out this CSO Online interview with our CISO, Kris Burkhardt.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this article is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2021 Accenture. All rights reserved.