The zero-trust philosophy distinguishes itself from previous models due to its layered design. It proposes that no person or device within or outside an organization's network can connect to IT systems or services without performing robust identification.
Zero trust, a cybersecurity philosophy increasingly adopted, is based on the principle of "never trust, always verify,” no user or device can access data, a system, or an IT service unless authenticated first. When users access a new network segment or a new device, their identity must be re-verified.
In a context where cyberattacks are becoming more sophisticated and complex, organizations must review security governance at all levels. This is precisely what differentiates the zero-trust approach from its predecessors: it is divided into a layered architecture that reflects the journey data usually takes, including identity, endpoints (user devices), applications, networks, infrastructure, and data layers. Each of these layers has its security controls. Each time data travels between layers, the user's identity and access permissions are re-evaluated for the new segment, environment, or device.
While the Zero Trust approach gained prominence with the widespread adoption of cloud computing and collaborative work, many of its principles apply to on-premise models. Organizations that have implemented mature security controls guided by regulations and best practices within their internal physical infrastructures can capitalize on their investments and accumulated knowledge during the transition to a zero-trust model.
Not all companies will have the same priorities when adopting the model: a company with highly critical data and few users will likely focus on data layer security; in contrast, companies with less critical data (e.g., minimal personal or health data) but with thousands of employees may consider identity more relevant.
Adoption in Latin America
In Latin America, the maturity of adopting this model is advancing, although there is still a long way to go. A joint report between NTT DATA and Microsoft found that 88% of the companies are already familiar with the zero-trust model. However, the number of companies using it for deployment and use in their cloud environments is significantly reduced: only 50% do so (even though 54% consider investing in this new philosophy to be "very critical").
The primary benefits companies perceive from this model include better control over the cloud environment (54%), more appropriate protection of customer data (54%), improved permission controls (42%), and increased containment of security failures (38%).
What are the main challenges along the way? A lack of specific cybersecurity talent, compatibility issues with legacy systems, and budget limitations.
Beyond the technological challenges, companies with a clear understanding of the cybersecurity behaviors they aim to foster and actively promote employee education on how to defend against various attacks will be the most successful. This is because the effective implementation of zero trust relies heavily on a layer not typically included among the previous ones: the cultural layer.