Earlier this month, Cowbell CPO and Co-Founder Rajeev Gupta participated in a thought leadership panel, “Zero Trust from a Risk Professional’s POV.”
Zero Trust has become a key tenet of good cybersecurity. The concept was introduced more than a decade ago by John Kindewagg, industry analyst at Forrester Research at the time, and is anchored in three straightforward principles:
- All entities are untrusted by default;
- Least privilege access is enforced;
- Comprehensive security monitoring is implemented.
Since many cybersecurity solution providers have developed the concept and released numerous resources on how to approach Zero Trust, our risk engineering team has laid out the technical details in our second blog of this four-part series: What is Zero Trust?
Using a Zero Trust Architecture (ZTA) to manage risk is challenging, but there is a need to operationalize ZTA to drive security strategies. When thinking about Zero Trust, it is important to keep in mind that it is an umbrella term that represents an overarching security goal with smaller steps and milestones that can be achieved along the way.
When breaking down the concept of Zero Trust into bite-sized pieces, it can be tied to the concept of least privilege – that is, only giving users access to what they need to use. The evolution of least privilege into Zero Trust occurred alongside the evolution of the cyber threat landscape. The simpler landscape of the past was able to be managed with the more limited scope of least privilege, but the complexities of today require more. This is also where Cowbell’s Adaptive Cyber Insurance comes into play, as we provide coverage for the evolving threats of today and tomorrow.
Pillars of Zero Trust include identity, device, network, application workload, and data, as defined by CISA. Success in implementing ZTA can be measured via your vendor relationships, critical asset management, and tech stack. Specifically, there must be good communication and cooperation with vendors and among vendors. One technology product will not solve the whole problem as security is a team effort. The best vendors will implement Zero Trust in their technologies, too. It’s crucial to know exactly what it is you are protecting in your asset landscape and where it lives – in other words, properly identify your crown jewels. A good identity management solution in-house is critical to successfully deploying Zero Trust.
Adopt a mentality of anomaly detection: assume everything is bad behavior and look for the good behavior. This is part of the psychological acceptance of security that comes as a challenge with a Zero Trust model. The importance of training cannot be underemphasized. ZTA will inevitably have an impact on people’s daily lives, so they must understand its value proposition and economic benefits to reduce risk. This will help incentivize adoption and user compliance. At Cowbell, our dedicated risk engineering team works with policyholders to go deeper in the discussion around Zero Trust and implementation of cyber tools and best practices by drawing direct comparisons with other businesses of a similar size and industry. It is important to understand that more security controls give policyholders better options, making businesses more insurable and giving them credits so they end up paying less than industry peers. This is what we call continuous underwriting.
Zero Trust represents a fundamental shift in responsibility from the vendor to the business. Previously, it was the vendor’s responsibility to blacklist certain things, but now the responsibility has shifted to organizations that have to whitelist good activity and users on the network. Though ZTA assigns more responsibility to organizations, there still should be a partnership between the organization and its vendors. Zero Trust is a long-term goal, with steps along the way including identity and access, asset management, and device security. The NIST framework on Zero Trust can be a very useful resource when it comes to high-level guidance and an organization’s vertical can offer education on relevant case studies and boots on the ground to help.
You can view the full discussion by using the passcode: $f%WGlL6. For more information on Cowbell, please visit our website if you are an agent looking to get appointed or a business looking to get cyber insurance coverage.