By Need

Optimize IT Environments for Cost, Efficiency, and Security

Managed solutions that lower TCO while increasing your ROI

Security Programs

Enterprise wide security programs & zero trust

Hybrid Cloud Environments

Secure, scalable, and optimized

Modern Networks

The crucial foundation of business

Anytime Secure Access

Combining productivity and security

Innovation Velocity

Improved developer experiences

Managed Carrier Services

High performance and cost effective

Staff Augmentation

Strategic IT talent on-demand

View All Needs

By Industry

Finance & Banking

Stay ahead of today’s rapid change

Healthcare & Life Sciences

Improve lives with modern solutions

Business Services

Create efficiencies for sustained success

Public Sector

Serve the community with technology

Manufacturing

Unlock efficiencies for Industry 4.0

Retail

Get closer to customers

View All Industries

By Function

IT & Operations

Support your strategic vision

Engineering & Development

Enhance your developer experience

Finance & Procurement

Optimize for cost and security

Product Management

Make your vision a reality

HR

Focus on your people

View All Functional Areas
Managed Services

Remove the complexity of daily IT maintenance and focus on business growth

Cybersecurity & Risk Management

Secure business processes without sacrificing employee productivity

Cloud

Accelerate digital transformation while optimizing for cost

Carrier Services

Simplify and centralize complex business communication systems

Modern Workspace

Empower employees to work from anywhere on any device

Networking

Connect traditional environments to new secure cloud possibilities

Datacenter Modernization

Adapt to a hyperscaled cloud-first IT environment

Resource Management

Find the talent to drive your critical initiatives forward with confidence

View All Services

Learn

Knowledge Center
Events & Webinars
Blog
News

FEatured Resource

Cybersecurity & Risk Management 9 min read

Protecting the Digital Break Room: Collaboration Security for Microsoft Teams

By Jeremy Bello
Partners

Company

About Blue Mantis
News
Leadership
Awards
Philanthropy
Careers

FEatured News

4 min read

A Year of Transformation Produces Strong Tailwinds for Blue Mantis in 2024

By Josh Dinneen
Let’s Meet
All Blog Posts
Cloud

What Is Zero Trust Security?

By Jay Martin February 3, 2023

It was over a decade ago when cybersecurity industry analyst John Kindervag introduced “zero trust security” to the IT world. The idea behind the zero trust security framework was to keep user data safe from cyberattacks no matter what devices or networks were used to access the data. But although zero trust security is a great idea, it’s often misunderstood by business leaders and IT organizations alike.

Companies are struggling to take zero trust from concept to practice. Some business strategists in the C-suite are confused by the thought of zero trust security as a framework rather than a product. For decision makers and their employees, readjusting to the idea of zero trust security involves rethinking an outdated perimeter-focused cybersecurity strategy. Adopting the framework can also be daunting for some organizations because implementing zero trust security is not a one-size fits all paradigm.

Blue Mantis is unique among IT solutions providers because we are committed to infusing all our solutions with zero trust security. To help business decision makers understand how the zero trust framework enhances their organizations’ security at scale, I want to describe exactly what zero trust is—and why it is needed.

What is the Zero Trust Security Framework?

The zero trust security framework assumes that no user, device, or network connection can be trusted by default. Instead, it requires strict and continuous identification verification before granting access to data and resources. 

The core tenet of zero trust security states “Trust No One.” Whether the user or asset is internal to your corporate network (in an office) or external to your network (remotely accessing). Any access to corporate data—no matter if it’s located in the cloud, on a server in a closet, or on an employee-owned tablet connected to public WiFi at a coffee shop—needs to continually be evaluated against three core principles:

  1. Apply Least Privilege Access – Zero trust requires IT to apply least privilege access to assets, no matter where they are located. You can also think of this as applying “just in time access,” giving just enough permission to the people who need access to the data or application that they need to do their job. For example, a company with zero trust security would not provide marketing staff members with unfettered access to financial systems. Access to HR systems in order to view employee HR records in a zero trust model if only given to authorized HR employees. 
     
    Granting least privilege access can be summarized as “just because they’re on the network doesn’t allow them to get to anything on the network.” That’s what bad actors do. They get in the network; they scan the network for any devices out there that are listening; and then they try to take advantage of vulnerabilities or misconfigurations that they can find and move laterally. Zero trust can shut that down. Within a zero trust environment, we no longer allow anyone requiring access to data or an application the ability to discovery other systems, networks, IoT devices or data outside of their privileged access capability. 
  2. Verify Identities Explicitly – As we’ve seen in many high-profile cyberattacks, identities can be forged. Millions of usernames are available to criminals on the dark web. Hackers have tools that can easily brute force a password login and even bypass multifactor authentication (MFA) in many cases to fake an authorized identity. Zero trust security requires continuous verification for establishing user identity. Imagine an employee logged in from the office on their workstation in the morning, is granted access to a system, then logs out in the evening from that workstation. So, if that same employee tries to log into the corporate email system from a coffee shop using an unknown device, a zero trust security framework looks at that login attempt with suspicion. The username and password are known, the MFA is correct, but now the user’s logging in from an unknown device. 
     
    Zero trust security asks tough questions to explicitly verify not only the user, but the device identity, too. For instance, is this device (whether it’s company-owned or personal), registered with the IT department for use by this user? Does the device have the proper anti-malware and antivirus protections sanctioned by corporate IT? Are the latest OS and application patches installed? Does the device have the latest browser updates? Based on any (or preferably all) of those criteria, zero trust can deny access. These added steps will likely trigger a call from the employee to the helpdesk, but IT decision makers should view this as a “feature” rather than “bug” of the zero trust security framework. 
  3. Assume a Breach – An organization should operate on the assumption that the bad actors are already on your network. They’re sitting there idle, watching what you’re doing, and waiting for the right time to launch the worst case scenario on your organization. To mitigate this potential disaster, zero trust requires IT teams to collect telemetry and gain deep visibility into everything. This visibility enables IT security professionals to see what is going on across networks, where the traffic on the network is originating, where it’s going, who is accessing the data, and what they’re doing with that data. By assuming your organization is already breached and having end-to-end visibility into all networks, clouds, and devices, an IT team can easily tell when bad actors are moving data offsite and determine anomalous behavior.

Is Zero Trust Security a Technology?

No, zero trust security is not a single technology or product that an organization can purchase. Think of it as defense in depth backed by an executable framework (based on CISA 2.0 model) and non-prescriptive abstracts like NIST 800-207. Zero trust starts with the adoption of a governance, risk and compliance program that sets the high level definition for protecting identities, devices, network and infrastructure, applications and workloads, and data. Automation and orchestration and visibility and analytics remove manual intervention and report on the zero trust environment respectively for continuous improvement.

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), organizations can implement this strategy using the Zero Trust Security Maturity Model. It’s the same model that we use at Blue Mantis to assess a customer’s current IT security state, identify gaps and risks, prioritize actions, and track progress toward achieving zero trust security:

It is important for business leaders to understand that adhering to the zero trust security framework is a business strategy rather than a technology play. You’re right to be skeptical if a technology vendor is pitching you on a single hardware appliance for “zero trust security.” That’s because successful implementation of a zero trust framework requires multiple organizational disciplines, strategies, and technologies to come together to share context and vision before zero trust can help reduce risk and help protect an organization’s data.

Deploying IT Solutions Built on Zero Trust Security

Today’s modern workforce is cross-generational with either a significant portion of employees working either in a hybrid office or completely remote. Add to that the fact that corporate IT setups are largely cloud oriented, and you’ll get why IT leaders are so driven to balance security with productivity (while also managing costs and complexity).   

By deploying IT solutions built on the zero trust framework, you can achieve these goals and benefits:

  • Enhance data security and reduce cyberattack risk by eliminating unnecessary systems, apps, and network connections that can be exploited by attackers.  
  • Deploy, automate, and orchestrate improved security controls, monitor and respond to threats, and report on the effectiveness of your security framework.  
  • Enable true work from anywhere scenarios by providing your employees with the appropriate access to data and devices based on constantly-verified user identification methods.

Overwhelmed? Blue Mantis Can Help

For years, the majority of IT decision makers say that increasingly-advanced security threats make the stakes of successful data protection greater than ever. Blue Mantis builds and deploys custom IT solutions on the zero trust security framework. If your business is considering a zero trust strategy, then connect with our experts. We will help you in the development, implementation, enforcement, and evolution of these powerful new security policies—and do it in a way that fits your budget.

Jay Martin

Vice President Security

With over 20 years in Information Technology and Information Security, Jay Martin brings a strategic vision and deep technical expertise to his role as VP, Security at Blue Mantis. Throughout his career, he has helped organizations of all sizes achieve service excellence and navigate the ever-evolving cybersecurity landscape. 

Jay is charged with extending Blue Mantis’ hypergrowth in cybersecurity, including assessment of market, customer and partner requirements and overseeing overall positioning and optimizing services delivery. He collaborates closely with the Blue Mantis IT team to ensure the company’s internal security posture and cyber resiliency remain at a world-class level.  

Jay’s background spans various IT disciplines, including network engineering, technical support, operations management, and security. This well-rounded perspective allows him to translate complex cyber threats into practical solutions that align with business goals.  He has a proven track record of architecting security programs, implementing robust solutions, and fostering a culture of security awareness within organizations. 

Before joining Blue Mantis, Jay held leadership positions at several companies, including InteQ Corporation and Hewlett-Packard – NetMetrix. In these roles, he successfully implemented industry best practices like IT Service Management (ITSM) to streamline IT operations and ensure service excellence.  He also leveraged his expertise in IT security and enterprise monitoring to develop comprehensive security programs that met compliance requirements. 

Jay is passionate about staying ahead of the curve. He holds industry-recognized certifications like CISM (Certified Information Security Manager) and actively participates in industry forums. This dedication to continuous learning allows him to lead Blue Mantis’ cybersecurity team in delivering innovative solutions that empower businesses to thrive in the digital age. 

Recent Blog Posts

View All Posts
Cybersecurity & Risk Management 6 min read

The CrowdStrike Incident and Windows Crash: What to do and How to fix it

By Pete Harris
Managed Services 6 min read

Focus on Growth with Blue Mantis Managed Services

By Geoff Smith
Carrier Services 7 min read

3 Reasons Why Your Business Needs 5G-Connected Laptops

By Kurt Karshick