What’s in a name? Defining zero trust for leaders

Could you accurately and succinctly describe zero trust to your leadership team or board? During my five years as a VP analyst at Gartner, I witnessed executives struggle to convey the concept in business language, and it’s not entirely their fault; “Zero trust” rolls out the red carpet for misinterpretation and misrepresentation.

Zero trust is a model for secure resource access. Gartner calls it “a shorthand way of describing a paradigm where implicit trust is removed from our computing infrastructure.” This is where the confusion can creep in, but there is an easy fix.

Instead of thinking zero trust removes all trust, reframe it as “zero implied trust,” meaning that trust granted must be deliberate and explicit. It is a specific policy – it is known and expected. Implicit trust is removed by denying access as the default policy. The result is that all access becomes deliberate and explicit.

Another aspect of the explicit trust, something missed by many zero trust implementations today, is that any trust granted is ephemeral. Rather than being a one-time decision, the trust allows for “just in time” connections between users, data, apps, and resources, and is a temporary assessment that must be reconsidered throughout the entire session of access. 

Assuming all devices inside a network are safe violates the principles of zero trust in the same way as assuming risk does not change throughout a session. The dynamic process matches the changing environments we work in. 

The simplicity of ‘default deny’ is what makes zero trust so powerful and durable, but policy must be applied to extend trust deliberately which requires navigating a tricky path between policies that are either too loose or too strict. Loose policy creates risk while overly strict policy can hinder an organization’s ability to function. Successful implementations of zero trust manage to achieve the right balance between security and useability by spending sufficient time planning policy, as well as getting buy-in from line-of-business leaders. 

Make it clear to the C-suite and board that zero trust is not merely a buzzword or a fleeting trend; it's a fundamental concept that reflects the realities of modern cybersecurity. By understanding and embracing zero trust principles, leaders can empower their organizations to navigate the digital landscape and its ever-changing risks and threats with confidence, knowing that they have the tools and strategies in place to safeguard their assets and data.

What to read next 

Seven Questions Every CXO Must Ask About Zero Trust [eBook]