This blog was originally published on ByteChek.com.
Zero Trust is not a new term; it was created in 2010 by John Kindervag, a principal analyst at Forrester Research Inc. Almost 11 years later, it's a buzzword in some security communities and non-existent in other cybersecurity segments like compliance.
Cyolo defines Zero Trust as "an innovative security model that assures secure connectivity by eliminating transitive trust and continuously identifying and authenticating every device, user and identity before providing them with access to network apps. Based on the premise of "never trust, always verify," trust and app access are granted according to the users' IDs. These are validated each and every time they want to access a network component. In addition, the network is cloaked for users, preventing network visibility."
Never trust, always verify is a concept that compliance professionals are familiar with when auditing. However, I don't think the governance, risk, and compliance (GRC) space has fully embraced zero trust. A Zero Trust approach to compliance benefits auditors and the organizations undergoing audits. Simplifying the audit process is critical for any individual or organization working in the compliance industry, and Zero Trust helps accomplish this goal.
Zero Trust shifts from a network-based perimeter to an identity-based perimeter which makes sense in modern organizations. With the adoption of cloud computing, the perimeter of an organization's technical environment is almost impossible to define. There are multi-cloud solutions, remote users, corporate on-premise users, bring-your-own-device, and it goes on. This setup adds endless complexities to compliance assessments that are already time-consuming and resource-draining. Shifting to an identity-based perimeter simplifies defining the boundary for an auditor and proves adequate protections from unauthorized users or resources.
“Compliance is all about risk management and lessening risk, and the same is true of Zero Trust. Because Zero Trust access is based on identities rather than networks, users can be granted more granular access to only the resources they actually need to do their jobs. This lowers both the risk of compromise and also the potential damage in the case that a cyberattack does occur. Beyond its unique Zero Trust architecture, the Cyolo platform also has special features, including session recording and supervised access, that help our customers meet and even exceed compliance standards” - Eran Shmuely, CTO and Co-founder of Cyolo
I believe the future of compliance is embracing zero trust and developing frameworks that require organizations to implement zero-trust strategies. We often hear in security that "compliance is not security" I wholeheartedly agree with that statement. However, I do feel that "security is compliance." If we abstract away all these silly compliance requirements, we see the same general security principles in the different frameworks (SOC 2, ISO 27001, HIPAA, etc.). Therefore, focusing on security, like embracing zero trust, accomplishes achieving your compliance goals and, at the same time, improving the security of your organization.
Zero Trust is an excellent start down this path because, with zero trust, it's not about chasing a random compliance framework. It is about a simple concept: trust. Zero Trust strategies enable simplicity, monitoring, auditing, and asset protection capabilities that address multiple controls across multiple frameworks. For example, auditors can focus on adding value as trusted advisors discussing the zero-trust network architectures (ZTNAs) implemented instead of auditors asking for manual screenshots that don't prove security. These conversations can help the organization undergoing audits learn new ways to protect itself and improve its assets and data security. A compliance assessment is about proving security to internal and external stakeholders. If that is the goal of these assessments, we should focus on security from the beginning. Compliance professionals and standards must consider how zero trust impacts audits in the modern era.
Want to learn more about Compliance and Zero Trust? Join Cyolo and me on Tuesday, August 31 at the 'Compliance is Tough. Zero Trust Can Make It Easier' webinar. And don't worry if you can't make the live session, an on-demand version will be available to watch at your convenience.
Author
AJ Yawn is the Founder and CEO of ByteChek. ByteChek's platform helps companies of all sizes establish security programs, automate cybersecurity readiness assessments, and complete cyber security assessments faster – all from a single platform.