Much has been written about the ability of zero trust architecture to support compliance and improve risk management. But how are zero trust, audit and compliance connected? What role can zero trust play in helping auditors deliver on their risk and compliance obligations?
Zero Trust, Audit and Risk
A few consistent themes keep auditors awake at night; cybersecurity is a growing trend, alongside data protection and compliance challenges.
Zero trust is one way to tackle these challenges. Does it, therefore, have the potential to be a “silver bullet” for internal auditors striving to improve risk management and avoid the risk of regulatory compliance breaches?
What Is a Zero Trust Framework?
Briefly, a zero trust architecture, sometimes called a zero trust framework or zero trust assessment, assumes that any device, user or application on your network is untrustworthy until verified otherwise.
It demands that all users, whether inside or outside a corporate network, are authenticated, authorized and validated before being given access to corporate applications.
What is the purpose of zero trust architecture? By assuming that no user or application should inherently be assumed to be trustworthy, a zero trust architecture makes policy and process —rather than the subjective concept of trust — the crux of decisions on access.
As businesses digitalize with increasing pace, digital governance and cybersecurity best practices grow ever-more crucial. In a world of remote and hybrid working, a zero trust framework can help ensure your operations’ security.
What Does Zero Trust Prevent?
Zero trust is designed to prevent unauthorized access to an organization’s systems or applications. By requiring all users, devices or applications to verify their right to access the system, it: Increases your organizational security and protects against cyber threats
Shuts down potential risks before they can do harm by routinely checking and reviewing permissions at every step
Reduces the risk of regulatory breaches by reinforcing your governance, risk and compliance programs, not just making them more robust but by providing the evidence, you need to substantiate your compliance claims
How Does Zero Trust Help Auditors?
What’s the connection between zero trust and best practice internal audit? Why should auditors care about the zero trust concept?
Auditors are under increasing business pressure to evidence robust corporate defense against an ever-growing list of threats. Cybersecurity is chief among these, with experts predicting that cybercrime will cost companies worldwide a staggering $10.5 trillion annually by 2025, up from $3 trillion in 2015. No wonder organizations are shifting their cybersecurity strategies from tick-box compliance to proactive risk management.
And with cyber risks come threats to data integrity and security, and therefore to your regulatory compliance. This is where the worlds of zero trust, audit and compliance converge.
Zero Trust, Audit and Compliance: Joining the Dots
For the IT team, zero trust helps to ensure watertight security and prevent breaches. For auditors, zero trust helps you demonstrate your data management and data protection strategies.
Many regulations demand that organizations can evidence their collection, use and storage of data to comply. Because a zero trust framework requires robust asset identification and data mapping, it can give auditors vital assurance about the data in the company’s systems; where it is being kept, and what applications or devices have access to it.
Audit’s Role in All Aspects of Zero Trust
In each of the seven steps of zero trust, there is a role for the audit team.
Step 1: Define your “protect surface”; the items necessary for your zero trust architecture to protect.
The role of audit: Identify whether the organization’s zero trust roadmap comprehensively identifies the protect surface; to ensure data classification in the organization’s systems aligns with the organizational data classification policy
Step 2: Map your transaction and traffic flows; identify how, where and by whom data is moved around your business.
The role of audit: Assess network diagram documentation and ensure any data flows are accurately represented. Ensure security policies are updated with any changes to network diagrams and interdependencies.
Step 3: Implement a zero trust architecture. Build network controls that only allow legitimate access and data flows and gain an understanding of flow intent (i.e., why data is moving).
The role of audit: Determine whether your zero trust architecture meets your corporate objectives and needs. Ensure the reality of implementation marries up with your planned zero trust framework.
Step 4: Create your zero trust policies and controls. Set clear policies and strict controls to avoid ambiguity and ensure that data access is firmly and consistently controlled.
The role of audit: Assess whether your zero trust policies are adequately defined for your identified protect surface. This should be regularly repeated to ensure that policies remain sufficient as your zero trust strategy evolves and develops.
Step 5: Conduct appropriate monitoring. Set up regular measurement and monitoring to ensure that your processes and controls are being adhered to and that a compliant audit trail is being created.
The role of audit:
- Ensure that those responsible for monitoring have an appropriate baseline
- Log their findings consistently and accurately
- Update monitoring approaches in line with any changes in process or policy
Step 6: Identify whether automation can make your zero trust approach more robust, reliable and simpler to maintain.
The role of audit: In any procurement, not just IT for zero trust, audit has a part to play in determining that the best value is achieved. Any automation brought in to support zero trust needs to be rigorously assessed to ensure it meets the business’s needs and delivers as promised.
Step 7: Revisit and continuously expand. Your zero trust network will grow as you add new or additional data, applications, assets, and services (DAAS).
The role of audit: Implementing zero trust is an iterative process; therefore, any expansion of the network needs to revisit the steps above, with the relevant audit team actions at each stage.
Using Zero Trust, Audit Can Benefit
When risks change rapidly and grow exponentially, internal audit teams need to move fast to keep pace. The related threats of cyber-attacks, data breaches and compliance failings challenge auditors — but there are ways to counter these risks.
Zero trust, audit teams are realizing, can play a role in making risk management more reliable, robust and consistent. Hopefully, this article has given you an idea of how you can harness zero trust methodologies to support internal audits.
Do you need assurance that you’re keeping pace with the latest governance, risk and compliance thinking? In that case, you can subscribe to Diligent’s GRC newsletter, which equips audit teams with the latest on all things governance, risk and compliance. You can sign up here.