‘Zero trust’ is a relatively new buzzword in cybersecurity, but being new doesn’t make it any less important a concept. As an evolving approach to network design, the term means many different things to many different people. At its core however, zero trust architecture removes any inherent trust from the network and instead opts to gain confidence that a connection can be trusted.
Never trust, always verify
Traditional security models operate on the assumption that everything inside an organisation’s network should be trusted. It assumes a user’s identity is never compromised and everyone acts responsibility and can be trusted. The point of infiltration onto a network is often not the target location, so traditionally once a user gains the trust of the network, they are fairly free to operate at will.
The zero trust model recognises that trust is a vulnerability. It is designed to protect modern digital environments through network segmentation, preventing lateral movement, providing Layer 7 threat prevention, and simplifying user-access control.
The zero trust model has been applied to physical workplaces for decades. The default state of all exterior doors is set to ‘closed’. An employee (user), inputs a code/key/card/some form of credentials which lets them in the main door. All other doors to protected rooms remain locked. This user must once again present their credentials to be allowed access. If their credentials don’t match up, the inner door won’t be opened. If the user continually tries to access rooms they don’t have authorisation to be in, the machine learning of the security system will likely flag some kind of warning to investigate this user’s motives.
Not a barrier to productivity
As a term, ‘zero trust’ doesn’t sound conducive to good business relations between IT and everyone else. In its most literal sense, it sounds as if the digital ecosystem will start distrusting and so not recognising users who are trying to achieve in their roles.
This is far from the intention of the model. If it’s operating in this way then it’s likely not been set up very well. Zero trust actually aims to enable the right person to have immediate access to the resources they need to do their job, while eliminating the risks of unauthorised access. A lot of communication and education may have to go into explaining what needs to change and why.
Works dynamically with you
Zero trust is not location dependant. For years businesses have been released from the confinement of four office walls at a fixed address and now our users, devices and workloads are every which where. Location based trust is no longer going to work for the majority of modern enterprises.
Users want to access critical application and workloads from client sites, coffee shops, on the road, their sofa. Zero trust requires consistent and deep visibility, enforcement and control which can be delivered directly onto their device or through the cloud. A software-defined perimeter can provide secure user access and prevent data loss, regardless of where a user may be.
The strengths of zero trust
Having zero trust as the foundation of your infrastructure can strengthen the pillars upon which IT and security are built, including:
- User identification and access
- Segmentation of data and resources
- Data security
User identification and access
Multi-factor authentication (MFA) should provide teams with insight into who is requesting what access. By having a detailed policy structure, this should confirm which resources each user can access based on this identification. In the zero trust model, the context of the request and the risk of the access environment is considered before granting entry. This could mean limiting functionality of resources or session timeouts.
Access policies don’t adequately protect data if it’s all grouped together behind a single entrance test. Zero trust segments an organisation’s network into compartments, so keeping the vulnerable aspects heavily guarded and preventing lateral movements through the network.
Even with the above measures, data is still open to breaches when in storage and in transit. End-to-end encryption, automated backups and hashed data are ways of incorporating zero trust methods.
The challenges of zero trust
While zero trust is a very comprehensive approach to securing access and providing protection, it’s not without its challenges, including:
- Distributed and different user types
- Variety of devices
- Application types
- Storage methods
Remote work, whether occasional or a regular occurrence, is entirely common in most organisations these days. Data is accessed from home IPs, routers and public WiFi, as well as the main office connection.
Added to this, users aren’t just employees, they could be customers, suppliers or officiating bodies. Any number of external users may need to access operations, inventory, safety and logistical features.
In the zero trust model, each of these variants needs to be committed to a specific access policy. Determining every individual’s need can be time-consuming and form a significant workload for the person assigned to this.
In line with the necessity for users to work ‘wherever’, they may also work from ‘whatever’ – so any device of their choosing. This then requires factoring in different operating systems, properties and communications protocols – all which have to be tracked and secured. This is a time-consuming set up process, but should yield overall positive results.
Organisations typically use a vast number of applications to enable teams to collaborate and communicate, but who has access to each? If the design team can open the finance software, and the finance team open the logistics app it sounds like there’s a little too much trust going on. Figuring out which users (internal and external) need access to which apps is the starting point to refining your zero trust approach.
As more data is stored within cloud environments there has to be a more modern approach to securing this. Who is allowed to use certain storage as well as how this is configured are all further challenges to forming a zero trust strategy.
Zero trust access is more critical than ever
As cyber threats grow more sophisticated, their aim in many cases is to inflict damage while remaining silent. They target any kind of both operational and information technology along the increasingly automated supply chain. If an attacking force is able to break into the network at a weak point, say through an application, this then shouldn’t lead to a catastrophic system collapse. While the initial response may be to limit access all round, this isn’t practical for a dynamic and efficient business. A better solution is to opt for a scalable system which can establish and monitor zero trust.
If you’d like to discuss how to achieve a zero trust architecture within your organisation, we’d be very happy to have a chat.