Adopting a Zero Trust Cybersecurity Model

Stephen Nardone
Tim Allen

The recent shifts from in-person to online or hybrid environments has forced organizations to reexamine their cybersecurity practices and protocols. Keeping information and data safe has been more challenging as teams navigate vulnerabilities in our new digital world.

83% of organizations have had
more than one data breach.

Source: Ponemon Institute and IBM Security, 2022, Cost of a Data Breach Report.

Zero Trust and Zero Trust Architecture are concepts that have been around in the information technology and security industry for many years now. It is becoming more prevalent in conversations across all industries, especially in the government sector. It is also becoming a topic of conversation for small-to-mid-market corporations as well. Cyber insurance companies, standards and certifications organizations, the recent Executive Order, and managed services companies all point to the fact that Zero Trust is the critical measure of effective cybersecurity protection, detection, and reaction.

What Is Zero Trust?

Let’s start with the definition of zero. The numerical symbol “0” means the absence of all size or quantity. So, in essence, Zero Trust is the approach of having no trust and the need to continuously verify. In addition to investing in security protection technology, you must believe the “bad guy” is already on the inside of your environment, potentially sitting dormant until the right opportunity emerges.

Let’s be clear, Zero Trust does not prevent breaches. But it does provide a framework for ensuring—when fully implemented—a reduction of the impact of a breach. This is done by identifying the breach and shutting it down quickly. Zero Trust requires the implementation and management of:

  • Security framework with guiding principles
  • Workflow, system design, and operations
  • Defined policies, information security practices, and resiliency practices
  • Technology working in concert with process and people
  • Continuous monitoring, detection, and mitigation

Three Key Elements: People, Process, and Technology

You will note that humans, technology, policy, and process are all key components of Zero Trust. Not just physical devices and software. You cannot buy Zero Trust out of a box, and you cannot just implement any level of technology alone and achieve it. The key criteria to achieve Zero Trust is continuous detection and mitigation against attack, whether from the outside or inside. People, process, and technology need to be in lockstep! This applies whether users are on internal and approved networks, whether the user is an approved employee, whether the user’s asset was configured and issued by the corporate Information Technology team, and—of course—whether the user is connecting from outside of the approved network or not.  

In addition, all sessions between users and resources must be uniquely identified and authorized. This means an employee, or a process, or a service session connecting to a corporate resource in the environment or the cloud, must successfully pass the discrete function of authentication and authorization. This authorization must also be monitored continuously for changes in behavior, or subsequent connection requests.

59% of organizations have not deployed a
Zero Trust security architecture.

Source: Ponemon Institute and IBM Security, 2022, Cost of a Data Breach Report.

Start Your Zero Trust Journey

As you can see, Zero Trust is not simple to achieve. It will take a well-defined plan, selecting the right technology, and developing the right processes. It will require a phased implementation to ensure the necessary people, process, and technology are all working in concert guarantee continuous detection and mitigation is achieved. And it won’t happen overnight. Zero Trust is a long-term roadmap to cybersecurity.

As a first step, having a Security Landscape Optimization assessment completed will give you a snapshot of your entire ecosystem along with risk scores. This “roadmap” will help you focus your resources on the areas where attention is most needed. Connection has a team of architects, consultants, and engineers to help you achieve the next level of security. Visit our Cybersecurity Awareness Month webpage to discover more resources.


Stephen Nardone, CISSP, is Director of Security Practice at Connection with over 38 years of experience in both the government side and the commercial side of the security business.