Traditional systems security for years has followed the Trust but verify method in which once users are logged into a system then they are automatically trusted. The emphasis there is on protecting internal systems and information from outside attackers by using firewalls and passwords.

Unfortunately, as technology and attackers have grown more sophisticated, the Trust but verify method has become harder to maintain and less effective. Organizations have had to change their approaches to systems security in order to accommodate traveling users, users that work from home, users that bring in their own devices, as well as cloud-based software, other repositories, and more. The traditional boundaries of a network perimeter are drastically changing.

Migrating to a zero trust model can be done gradually, which is a benefit for smaller organizations that cannot afford a large initial investment.

With the growth of cloud computing, organizations are very globally connected; and their digital information is stored and used in private and public clouds of data and applications. Conventional boundaries for an organization鈥檚 network have expanded and become ever more obscure, opening the potential for cybersecurity problems. Zero trust offers a new way of viewing our computers and information that may make securing them easier.

With zero trust, implicit trust is eliminated, and continuous verification is required. By always assuming that a security breach has likely already occurred, a zero trust system will constantly limit access to only what is needed while continuously looking for malicious activity. Zero trust can reduce an organization鈥檚 risk from data breaches, ransomware, and insider threats. While zero trust is clearly more restrictive, it can simplify an organization鈥檚 cybersecurity defensive posture and provide a more easily secured system environment to better protect the organization鈥檚 data and assets.

In a security breach, trust is a vulnerability that is exploited. By eliminating trust as an issue, an organization鈥檚 systems become more secure and data breaches are prevented. However, this lack of trust doesn鈥檛 mean you don鈥檛 trust your users, instead it is akin to requiring users to use a key card every time they access a building.

Zero trust recognizes the reality that today鈥檚 computer systems are hostile places. Yet, zero trust is a not a product or an application. It is a set of principles that help you define a cybersecurity strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries.

The first step with zero trust, as with any new method or technology, is to understand how it addresses your organization鈥檚 unique business problems. What outcomes do you expect? How does zero trust address your needs? Without understanding your business needs and problems first, any new method or technology will ultimately fail.

Building zero trust

Migrating to a zero trust model can be done gradually, which is a benefit for smaller organizations that cannot afford a large initial investment. According to the US National Institute of Standards and Technology (NIST), many organizations may continue operating their newer zero trust in tandem with their older perimeter-based systems for years. To plan and architect your zero trust network, the following initial steps are suggested:

• • • Start by building leadership trust 鈥� You need to seek understanding, support, and input from your firm鈥檚 leadership. Management support is critical to a successful transition to zero trust.
    • Define your most vulnerable attack surfaces 鈥� Start by identifying your biggest risk areas both now and in the foreseeable future, and work to apply initial zero trust initiatives that encompass processes, people, and your existing technology. Moving gradually will keep your firm from becoming overwhelmed with implementing new technology and policies across entire systems.
    • Map how your data flows 鈥� Document how your data moves around your devices, applications, and assets. It is essential to understand this data flow. Who is using it? Where is it coming from? To identify which data flows should not be trusted, you need to know which are critical to your firm and should be allowed. This mapping of data flow is the key to making zero trust work.
    • Harden your identity management 鈥� Users are the weakest link in any security system. Review your user authentication process and implement multi-factor authentication and tougher password policies to harden your identity management. Also, implement and regularly review login names and make sure they match active users.
    • Assign minimum rights (least privilege) 鈥� Review how your systems and data are secured and assign the minimum rights to the minimum number of accounts needed to access data or systems. The default access should be no access.
    • Whom do you trust? 鈥� Build a whitelist of who to trust. This includes users, devices, applications, processes, and network traffic.
    • Micro-segment your security 鈥� Dividing your security into smaller segments allows you to minimize any damage in case of a breach or compromise of any one area.
    • Define your zero trust policies 鈥� After you have architected your new system, write the needed policies to match. Defining who, what, when, where, why, and how for every user, device, and network that gains access to your system.
    • Monitoring is critical 鈥� As you build your zero trust system, it is critical to have an aggressive monitoring system in place. For zero trust to be effective you will need to continuously monitor access and look for any area where trust should be revoked and any unwanted access and be identified.

Zero trust is a journey that will take years to complete. 鈥淣ever trust, always verify鈥� is a fundamental shift in how we currently think about security, but it is a necessary shift. Security breaches are on the rise, and our old paradigms of security are not working as more devices come online and local networks evolve to cloud networks. Our data is increasingly at risk, and zero trust is a new and more effective way to protect ourselves.

Yet, what is considered an impediment and barrier to KM is often the result of confusing KM with information management (IM).

Instead, KM and IM should be considered more alike in their value systems rather than a competing priority in which an organization must choose between securing information and data versus sharing information and data. In accepting that there are both enablers and barriers to any organizational priority, a strong KM culture includes many of the same enablers that zero trust is tasked with supporting. KM, when it is aligned with zero trust, creates an even stronger KM value in the organization. And zero trust, like KM, succeeds best when working from the position of the four KM enablers: people, process, technology, and governance 鈥� as well as a strong organizational policy, which is critical for zero trust.

The successful implantation of KM and zero trust should be:

• • • business focused;
    • supported by senior management;
    • embedded with the strategic vision and principles of the organization;
    • focused on higher value knowledge and higher value data;
    • able to demonstrate measurable benefits, such as competitive advantage and process improvement in tandem with risk mitigation and security; and
    • employed as a full organizational change.

Despite the decades-held belief that most security threats are external, it is inside threats that have risen to become a serious cause for concern, most recently this is due to the extension of network access across mobile devices, cloud users, and employees working in hybrid or fully remote environments.

Behind the emergence of zero trust is a broad concept that applies to technologies, networks, IT architectures, and security policies. This concept holds that users within a network should be treated as if they could pose a threat. Therefore, enterprise resources and data are to be protected individually and access to these resources should be evaluated and analyzed continuously.

The zero trust future

Zero trust is not a particularly unique approach. IT professionals would consider the principles of this model to be a good housekeeping practice for any healthy secure enterprise. Most IT professionals have long taken great pains to design systems that consider inside risk as dangerous as any other risk. Therefore, zero trust systems have been developed to behave as an integrated platform that contextualizes information based on identity and security that has shifted risk measures from traditional perimeter models (e.g. firewalls) to one that is identity-centric. Through this process, key questions emerge, such as who has access to what information? When do they have access? How much access is given, and what business purpose does their access support?

This identity-centric approach is consistent with KM mapping. KM mapping outlines the business challenge of what we know with strategic goals that can then be supported with KM interventions, such as a knowledge base, intranet, sales wikis, and CRM platforms. Additionally, to be successful, both KM and zero trust require agreed-to measurable outcomes.

This simplified explanation of zero trust in a KM world is consistent with KM values that improve business agility which brings with it the priority of protecting internal data and internal assets.

Strategies to overcome perceived KM barriers brought on by a commitment to zero trust overlay with the implementation of zero trust models. These strategies include:

• • • mapping 鈥渘eed to know鈥� information (KM) alongside 鈥渘eed to secure鈥� (zero trust);
    • finding common alignment with strategic goals;
    • outlining business objectives and agility with business security; and
    • agreeing upon measurable benchmarks and outcomes, remembering that i) not all measures are monetary values; ii) not all measures should be targets; and that iii) common solutions can be identified聽to overcome 鈥渋mposed鈥� targets.

Much like KM, zero trust is a new mindset that requires sweeping changes to be implemented effectively. On the surface this seems daunting, but after evaluating KM and zero trust, both can be implemented to improve organizational value and effectiveness.