The shift is being driven by the simple fact that traditional perimeter-based network defence strategies that comprise multiple layers of disjointed security tools have proven ineffective. They are essentially unable to meet current cybersecurity needs in a world of remote working and cloud-based resources.

A fresh mindset

Successful adoption of a zero trust strategy requires more than just technology. An organisation, from its chief executive to its IT team, must also understand and commit to a zero trust mindset from the outset.

Having this mindset in place is vital. When an organisation opts to embrace zero trust, the mindset will support the necessary planning, resourcing, and operations needed to ensure it delivers the expected business benefits.

Since zero trust was first outlined as a robust and scalable security strategy back in 2009, the concept has matured and expanded. In 2017, Forrester coined the term ‘zero trust extended’ to describe a new approach to the topic.

According to Forrester, any zero trust strategy should – first and foremost – be aimed at protecting data. The strategy should strictly enforce access control while also verifying the health of devices seeking access.

Since then, the concept of zero trust has evolved even further. It is now recognised as an IT security model that denies access to applications and data by default. Effective threat prevention is achieved through only granting access to networks and workloads using policies informed by continuous, contextual, risk-based verification across users and their associated devices.

Zero trust and the Essential Eight

The concept of zero trust is closely aligned with the Essential Eight security guidelines created and promoted by the Australian Cyber Security Centre. The Essential Eight provides a clear framework that can be adopted by organisations of all sizes to improve their levels of IT security and better position them to withstand attacks.

The Essential Eight framework covers a variety of items that security teams need to consider. These include application control (or who can run what and where), regular data backups, software patching, the deployment of multi-factor authentication capabilities, and the restriction of admin privileges.

When you compare zero trust and the Essential Eight at the capability level, it becomes clear that they are different beasts. Many of the capabilities needed to achieve zero trust are far more extensive than those described by the Essential Eight, which focuses only on the most important controls that apply when countering external threats.

That said, there are also overlaps between the two. Zero trust includes concepts such as workload sanitisation to ensure that all workloads are safe to run. At the same time, Essential Eight offers advice on application control which can have a similar impact. Other areas of overlap include recommendation of things such as multi-factor authentication, patching, and least-privilege policies.

Adopting zero trust

For many organisations, the adoption of a zero trust strategy may seem like a daunting task. They may readily get their heads around the requirements of the Essential Eight, but zero trust just seems too hard.

Thankfully, it doesn’t have to remain that way. In fact, many organisations will find that they already have in place a number of the components required by zero trust. What’s needed is a different approach and a different mindset.

It also needs to be remembered that a zero trust strategy will deliver significant business benefits. These include everything from increasing the security of remote workers to boosting productivity by removing tedious log-in and authentication procedures.

Through careful planning and deployment, Australian organisations stand to gain significantly from the adoption of both zero trust and the Essential Eight. Together, these strategies will result in greatly improved IT security and better capabilities to withstand attacks.