Nearly all organizations are struggling with how to stay in control as their data migrates to the cloud and users connect from anywhere. The answer, they\u2019ve been told, is zero trust. Zero trust starts from the premise that an organization is going to be breached so that they can then focus on minimizing any potential harm. Although well-defined as an architecture and a philosophy, it is difficult to apply these principles across your infrastructure in the real world. While you can\u2019t buy a complete, packaged zero trust solution, you can build a solid defense strategy around zero trust concepts to secure sensitive data and enable the business and users to proceed in a safe manner.\n\nOver the past few years, the environment to which zero trust is being applied has changed dramatically. Users are working outside the safety of traditional security perimeters, using devices and networks the organization doesn\u2019t control. Cloud and remotely accessible infrastructure enables anyone to work and collaborate from anywhere on any device, but it is critical to ensure access is secure and centrally managed.\n\nThere are numerous elements to zero trust, notably, user (identity), endpoint, data, and risk. Rather than a ready-made solution or platform, zero trust represents a mindset, a philosophy, and ultimately a cybersecurity architecture. Aaron Cockerill, Chief Strategy Officer with endpoint and cloud security solutions provider Lookout, urges organizations to focus on what matters most: sensitive data.\n\n\u201cWhat\u2019s happened over the last couple of years with digital transformation is that users, apps and data have left the building and are no longer within that traditional security perimeter,\u201d says Cockerill. \u201cRather than simply providing remote access via virtual private networks, take the services that you had in that perimeter and put them in the cloud so that you can work in this new hybrid environment where apps are in the cloud or cloud-accessible.\u201d\n\nThat\u2019s the aim of Security Service Edge (SSE) solutions that provide cloud-based security components, including Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG) and Firewall as a Service (FWaaS). \n\n\u201cWhen users were in the building, the internet was filtered for them by their company to make sure that they were not clicking on malicious links and performing other non-secure activities, so part of SSE moves those services into the cloud.\u201d \n\nMost organizations have now adopted hundreds of SaaS apps, and each one handles authorization and access control differently. To avoid having IT become an expert in every SaaS app, centralized policy management across all cloud and SaaS apps through a CASB solution should also be top of the list for most organizations. \u201cBy centralizing data access policies IT teams can minimize workloads, simplify administration, and avoid misconfiguration that can introduce vulnerabilities.\u201d Cockerill adds. \n\nFinally, in the wrong hands VPNs expose large parts of your infrastructure to attack. \u201cThat\u2019s basically a tunnel through the firewall into the soft, gooey center of any organization's IT infrastructure, which is a nightmare from a security standpoint. Once someone connects via VPN they typically have unfettered access to adjacent apps and data, and this is where lateral movement comes into play. You need to segregate your infrastructure to prevent lateral movement.\u201d Bad actors use lateral movement to search for systems and data that can be leveraged to extort their target. Zero trust proposes microsegmentation to address this, but ZTNA is a simpler and more modern approach. \n\nThe noise level around zero trust can be confusing for organizations trying to chart the safest course. Cockerill warns against falling for misleading claims about so-called \u201czero trust solutions,\u201d and instead recommends assessing your current and desired state against an established zero trust security model, such as one drafted by the Cybersecurity & Infrastructure Security Agency (CISA).\n\n\u201cImplementing zero trust is a never-ending journey and the best way of establishing the right elements of technology for you to embrace in that journey is comparing yourself back to those maturity models,\u201d says Cockerill. \u201cThere's no silver bullet so don\u2019t be misled by vendors telling you there is because you can\u2019t buy it off the shelf. You need to look for vendors that acknowledge that integration with your existing infrastructure is the right approach.\u201d\n\nThe CISA model aligns the zero-trust security model to five pillars:\n\nAccording to CISA, each pillar can progress at its own pace and may be farther along than others, until cross-pillar coordination is required, allowing for a gradual evolution to zero trust.\n\nThere are endless ways to apply zero trust, so it\u2019s important to start out with a well-thought plan. Cockerill recommends that organizations prioritize their implementation efforts according to their risk registers. \u201cI would prioritize, maybe even over-correct towards the protection of data to stop your data from being stolen\u201d he adds. \u201cZero trust represents our best approach to the battle against cyber attackers, but it shouldn\u2019t be considered a panacea. It\u2019s virtually impossible to deploy controls across everything, so it\u2019s critical to assess the risks involving the organization\u2019s most sensitive data and start the zero-trust implementation there.\u201d\n\nFor more information on the Lookout Cloud Security Platform, visit here.