Light Dark
April 21, 2022 By Mike Elgan 4 min read
Risk Management
Zero Trust
Network

The remote work era makes the zero trust model critical for most businesses. The time has come to use it. But first, let’s understand what it really is and why the hybrid and remote work trend makes it all but mandatory.

What is zero trust?

Zero trust is not a product or a service, but an idea or a strategy. Instead of relying on a perimeter (for example, a firewall), every user, device and app must be verified for every instance of access.

Other ideas connected with this idea include strong user identity, machine identification, network segmentation, policy compliance and others.

A student at the U.K.’s University of Stirling named Stephen Paul Marsh coined “zero trust” in his doctoral thesis in 1994. Later, the concept was briefly called de-perimeterization and perimeterless network architecture. In the end, the phrase zero trust became the most widely accepted term. Industry guidelines like Forrester eXtended, Gartner’s CARTA and NIST SP 800-207 further refined ideas and definitions around it.

Why remote and hybrid work demands zero trust

When the pandemic began, employees started working from home in their millions. It didn’t take long for threat actors to realize that the best way to break in was to enter through remote workers’ virtual private network (VPN) connections.

Each work-from-home employee, hybrid worker and digital nomad represents an expansion of the attack surface and new openings for attackers. An organization might be looking at dozens, hundreds or thousands of such employees. So, the attack surface becomes too large for older security models.

How to think about zero trust

Zero trust replaces an outdated idea. That idea? The assumption that everything ‘inside’ is trustworthy by default and that only outsiders pose threats. First, the solution was firewalls to create a perimeter. Then, VPN enabled remote employees to ‘tunnel’ into the perimeter.

This perimeter-centric view is outdated for many reasons. The rise of arbitrary mobile and wearable devices, cloud computing and the Internet of Things trend have eroded it. Now, above all, the hybrid and remote work trend have, too. It also accepts that threats often start inside the walls. Plus, cyberattacks are becoming more high-tech all the time. (There’s still a place for firewalls in zero trust networks — just not for perimeter security.)

At a high level, zero trust best practices start with several elements. They are the identification of critical assets, the establishment of strong identity systems for users, devices and apps and the use of micro segmentation. First, you need to create micro-perimeters on the networks and restricted access zones inside data centers and cloud environments. These control which people, devices and applications have permitted access to each segment, zone and resource. Beyond access restrictions, the hunt for intrusions and malware takes place thorough ongoing encrypted traffic inspection and analysis.

Process or policy?

The zero trust methodology enforces what used to exist in policies. In the past, company policies might say that only employees should access company resources. These employees had to use approved devices and apps. Policies might also call for employees to avoid rummaging through data beyond their purview.

Policies are great. The trouble is that this only guarantees security to the extent that people follow those policies.

Zero trust puts all-day, everyday enforcement of those policies into practice. The right people access the right resources using the right devices and applications. After all, only they have permission to do so. The default is every person, device and app is blocked from accessing every part of the network and everything on those parts until the person, device and app are all authorized.

Attackers are stymied at every turn in a zero trust network. If they can trick or work around user authentication, their device will be denied access. It narrows employee behavior. If one staff member decides to use an insecure app, that app won’t be allowed, even if they’re an authorized user on an authorized device.

The zero trust network architecture also helps with compliance auditing. It allows for improved visibility into user activity, device access and location, credential privileges, application states and other key factors. It also provides more data on which specific network resources have and have not been breached. Both of these are important for success.

Outsourced or in-house?

A zero trust network architecture represents a pretty radical departure from perimeter security. The decision over which parts to outsource and which to keep in-house depends on whether staff has experience with the elements of zero trust. It also depends on how well you’ve staffed in general.

It’s reasonable to outsource many parts of the transition. Then, after learning more, bring some parts in-house, depending on what makes sense for your needs. But even if you’re inclined to keep security work in-house, you might want to consider outsourcing to help with the transition.

The human element

Express the move to zero trust as part of the wider conversation about the new workplace. As we continue to adapt to remote and hybrid work, employees should be included as partners in this transition. Zero trust security is part of that.

Zero trust will impact all employees in multiple ways, including inconvenience in their workday and a learning curve up front. That’s why it’s super important to express the benefits, the link to hybrid and remote work and the impracticality of sticking with yesterday’s perimeter security mindset.

For many organizations — especially those fully embracing remote and hybrid work — zero trust is no longer an option. It’s time to trust it.

 |  |  |  |  | 
Mike Elgan

More from Risk Management
February 14, 2025

4 ways to bring cybersecurity into your community

4 min read - It’s easy to focus on technology when talking about cybersecurity. However, the best prevention measures rely on the education of those who use technology. Organizations training their employees is the first step. But the industry needs to expand the concept of a culture of cybersecurity and take it from where it currently stands as an organizational responsibility to a global perspective.When every person who uses technology — for work, personal use and school — views cybersecurity as their responsibility, it…

February 12, 2025

When you shouldn’t patch: Managing your risk factors

4 min read - Look at any article with advice about best practices for cybersecurity, and about third or fourth on that list, you’ll find something about applying patches and updates quickly and regularly. Patching for known vulnerabilities is about as standard as it gets for good cybersecurity hygiene, right up there with using multi-factor authentication and thinking before you click on links in emails from unknown senders.So imagine my surprise when attending Qualys QSC24 in San Diego to hear a number of conference…

February 3, 2025

CISOs drive the intersection between cyber maturity and business continuity

4 min read - The modern corporate landscape is marked by rapid digital change, heightened cybersecurity threats and an evolving regulatory environment. At the nexus of these pressures sits the chief information security officer (CISO), a role that has gained newfound influence and responsibility.The recent Deloitte Global Future of Cyber Survey underscores this shift, revealing that “being more cyber mature does not make organizations immune to threats; it makes them more resilient when they occur, enabling critical business continuity.” High-cyber-maturity organizations increasingly integrate cybersecurity…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature