Beyond the Buzzword: What is the ‘Zero Trust Model’ and Why is it Essential?
To help understand the relatively new concept of the Zero Trust Model when it comes to data privacy and security, think of something very old: a castle from the Middle Ages. The traditional approach to security called for high walls, a moat, and a drawbridge all meant to fend off an outside attack. Those allowed inside the castle walls were considered trusted and had unchecked access. Applying the Zero Trust Model, the exterior barriers would remain, but additional interior measures would track everyone’s movements throughout the castle and reconfirm authorization prior to accessing any room.
That’s one way that Catalino “Cat” Vega, a Senior Security Analyst at Kuma, explains the Zero Trust Model to those outside the field. Another way: “Imagine you’re at a 21-and-older club, but the bartender still checks your ID when you order an alcoholic drink,” he says. “Zero Trust.”
At Kuma, where he joined the team in 2021, Cat helps organizations of all sizes mature their application security programs at a technical level and runs specific client engagements in a Chief Information Security Officer (CISO) capacity. For the latter responsibility, Cat says he is laser-focused on creating a bridge between a company’s technology staff and business teams.
“The next generation of CISO is already here, and they are more business-minded than ever before,” he explains. “A key differentiator when rolling out a new data privacy and security program lies in Kuma’s ability to work cross-functionally with teams and tie our successes to the business.”
Data Privacy and Security Experts Like Cat Make Kuma Stand Out
Cat came to Kuma with more than 15 years of experience in information security. He is a Certified Information Systems Security Professional and earned a degree in Management Information Systems and Computer Programming from Southwestern College. Cat is a proud veteran of the U.S. Air Force, where he worked his way up from helpdesk technician to senior security engineer to Director of Information Technology at Shaw AFB in South Carolina. After leaving the service, Cat led IT infrastructure and compliance for a healthcare firm, then joined a consultancy where he served as CISO for a diverse set of over 20 healthcare organizations. As a regional leader at PwC for six years, Cat was responsible for security testing and compliance of over 5,000 applications across the Western Hemisphere that generated nearly $50 billion a year for the firm.
His military experience helped Cat develop an appreciation for the non-negotiable nature of the Zero Trust Model. At Kuma, he combines that mindset with an eye toward keeping businesses running smoothly. “When I was in the Air Force, I may have shut down an entire system because it was not patched,” Cat said. “Today, the goal is to enable businesses to do their work securely. So the approach I take now is, ‘How can I secure this with the least amount of business disruption?’”
While the military may long have taken a zero-trust approach to data privacy and security, the concept is now spreading throughout the federal government. In January, U.S. officials announced that the Zero Trust Model would be the government’s new cybersecurity standard. Cat says he welcomes that move, particularly as both government and private entities move to a more decentralized approach to work, increasing the importance of identity confirmation.
“I’ve definitely seen greater interest in Zero Trust, and it’s important that we educate people about what that really means so it doesn’t just become a superficial buzzword,” he says. “An organization reached out recently to ask us to help them move toward Zero Trust. We performed an in-depth assessment of their needs and were able to present them with multiple options to get them to Zero Trust maturity levels. They were happy with the transparency and grateful that we provided them with actual insight and not just an implementation plan.”
3 Things Business Leaders and Staff Need to Know About the Zero Trust Model
One of Cat’s specialties is being able to communicate passionately and confidently about data privacy and security to all levels of an organization’s hierarchy. Here are his top three lessons for executive and his top three lessons for technical staff when it comes to the Zero Trust Model:
For Business Leaders:
- Build and Maintain Cross-Functional Relationships. It’s essential to secure buy-in across leadership when rolling out a new solution like the Zero Trust Model. Just as Cat mentioned next-generation CISOs who are more business-minded than ever, all leaders must be willing and able to work cross-functionally with teams throughout the organization. “Relationships are key,” Cat says.
- Clearly Identify the Zero Trust Value-Add. Align delivery of this program to meet business needs. “At Kuma, we start by providing a crucial overview of an organization’s security weaknesses and vulnerabilities, which helps to illustrate where Zero Trust would benefit and where not having it could cause potential harm,” Cat explains.
- Establish a Culture of True Least Privilege. Zero Trust applies to all levels of an organization’s hierarchy, which means executives need to learn to be OK going through the same verification and authorization processes as employees. “Security checks shouldn’t be an annoyance,” Cat notes. “They should be par for the course.”
For Technical Staff:
- Prepare Integrations. Be ready to enable Zero Trust initiatives. This means setting the groundwork through education and training for technical staff in advance of a Zero Trust Model rollout.
- Embrace Change. Cat suggests tapping a Zero Model Trust champion in the organization who can assist other employees during the critical implementation phase. “Finding someone who can keep everyone on the same page can save considerable time and money as we get closer toward Zero Trust,” he says.
- Build and Maintain Cross-Functional Relationships. The same advice for bosses holds true for all staff. When technical staff are aware of and understand the business needs behind adopting a Zero Trust Model, they are more likely to embrace the effort. Often, this knowledge is achieved through cross-functional relationships throughout the organization, Cat says. “We need buy-in from every team within the enterprise,” he adds. “All hands on deck!”
Remember the castle analogy? Imagine that castle is your company’s network infrastructure. Would you still feel comfortable letting visitors run around without authorization checks? Cat guesses the answer is no, and he and his team at Kuma are here to help your business address its data privacy and security shortfalls — all the way to Zero Trust.
“I genuinely believe that there is no reason to blindly trust the activities inside your network,” Cat says. “The Zero Trust Model is a shift from the way things may have been done in the past, but it’s absolutely necessary to calibrate your security program against the current threat landscape. As we constantly update our programs, there is always a way to fold in those Zero Trust principles where they make the most sense.”
Visit Kuma’s website for in-depth information about privacy and security, digital identity, vulnerability and threat intelligence, fraud verification, and other resources.