It was recently revealed that the personal data of 20 million South Koreans (40% of the country’s population) was stolen by a contract worker at the Korea Credit Bureau, toppling consumer trust in Korean credit card companies. The theft was carried out by an insider over a period of time and begs the question: How could such an incident go unnoticed? We have found that breaches such as this are usually due to:

  • Poor system controls for privileged users. Privileged users often have more access than they really need to do their job. By definition, these users need broad access rights, but “broad” shouldn’t imply “unlimited.”
  • A lack of continuous user activity monitoring. Many security breaches could be detected with a comprehensive approach to monitoring user activity for suspicious behavior. In the high-profile WikiLeaks breach, nobody noticed that someone was copying thousands of sensitive documents from military systems in a short period of time.

Poor security practices and the breaches they enable go beyond data loss at an individual company; such incidents create distrust toward entire industries, social systems, and economies.

When you’re trying to protect your organization’s intellectual property and sensitive data assets, implicit trust assumptions are dangerous for two reasons. First, they leave your organization vulnerable to so-called “trusted insiders.” Second, they become obsolete when the environment or technology changes — and in a world defined by continued digital disruption, your environment and your technology are always changing. Forrester’s Zero Trust Model of information security banishes the old security motto of “Trust, but verify” and replaces it with a new motto: “Verify, but never trust.” The Zero Trust security model recommends:

  • Adopting advanced security analytics to better predict threats and protect data. Security analytics is more than just the implementation of a security incident management tool. It includes not only the collection and correlation of traditional network and system log data, but also the integration of new types of security and IT data from across the extended enterprise, such as feeds from network analysis and visibility tools, alerts from DLP tools, behavioral analysis from IAM tools, and threat feeds from security vendors.
  • Maturing incident management and forensic capabilities. Incident response is not enough. While maturing incident response is critical, what differentiates Zero Trust from past approaches is the integration of threat management, vulnerability management, and incident management into a single life cycle.

Zero Trust is not a product or service that you can go out and buy; it's a fundamentally new approach to and model of information security. While there are products and services that can help advance Zero Trust concepts, you must evaluate them with a critical eye and avoid deploying hot new point products that don't integrate with anything else in your environment or across the security ecosystem of the extended enterprise. Let me know what you think of Forrester’s Zero Trust model; if you’d like to understand it better, drop me a line.