Zero Trust is a security model that I believe can begin to turn the tide in the cybersecurity battles. Traditional perimeter-based network security has proved insufficient because it assumes that if a user is inside the corporate perimeter, they can be trusted. We’ve learned that this isn’t true. Bad actors use methods like password spray and phishing to take advantage of a workforce that must remember too many usernames and passwords. Once behind the corporate firewall, a malicious user can often move freely, gaining higher privileges and access to sensitive data. We simply can’t trust users based on a network as the control plane.

The good news is that there is a solution. Zero Trust is a security strategy that upends the current broad trust model. Instead of assuming trustworthiness, it requires validation at every step of the process. This means that all touchpoints in a system—identities, devices, and services—are verified before they are considered trustworthy. It also means that user access is limited to only the data, systems, and applications required for their role. By moving from a model that assumes trust to one that requires verification, we can reduce the number and severity of security breaches.

You can begin implementing a Zero Trust access model now. Expect this to be a multi-year process, but with every action, you’ll make incremental progress that improves your security posture. Start with implementing Multi-Factor Authentication (MFA) to better protect your identities and then develop a phased plan to address identity access, device access, and network access. This is the approach that Microsoft has taken.

Take a look at our Zero Trust access model implementation plan for more ideas on how to structure each phase. You can also look at my advice on preparing your organization for passwordless for tips on better securing your identities.

We are on this journey together. I will continue to share insights and advice in the coming months and years.