Trust no-one! The ‘Zero Trust’ approach sets up a framework within cyber security that makes one huge assumption: don’t trust anyone who is accessing your network.
This approach turns traditional cyber security on its head and recognises a need to change and adapt cyber security policies as cyber threats evolve. While bad actors seem to find new and novel ways to attack, organisations must look at ways to protect their security.
Although Zero Trust policies have been evolving for some time now, with more people working remotely and with the loss of exclusivity on certain devices, it has been thrust into the mainstream.
Why Zero Trust is so important
At the core of a Zero Trust policy lies the belief that not everything behind your firewall is automatically safe. Instead, the Zero Trust model assumes that at each point there may be a breach and verifies each request.
The trend towards Zero Trust is led by a rapid shift to a remote workforce combined with an increasingly connected world where data is prone to complex attacks.
The traditional security perimeter is not enough on its own – now organisations must combine these with a higher security level which assumes the weakest link could be within your own organisation.
Taking a people-centric approach and understanding your biggest risk
By adopting a people-centric security policy, you can identify who your most risky people are in an organisation. While traditional cyber security tools can be used to safeguard well-defined perimeters (firewalls etc.), and its focus is on the infrastructure, bad actors can exploit human weakness.
Email is a perfect example: people can be distracted or have a small lapse in judgement, and before you know it, they’ve clicked on a malicious link. By adding in these risks to your policies, you can set up protections.
In the modern world, network perimeters are reducing, with the changing work environment seeing people becoming the new perimeter.
Devices and users wanting access to the network must always verify their identity. This principle of “trust no one” enables security administrators to always verify access requests before it grants access to a network.
Implementing a Zero Trust framework – where to start?
Implementing and managing Zero Trust can actually be quite simple when you follow a process and format - it just takes commitment. And a willingness to also gather and analyse security log events.
Once you’ve taken a detailed analysis of your security and network teams and assigned responsibilities based on the architecture as well as the networks, you can then move onto the practical steps.
It is widely agreed there are 6 areas to consider when implementing a zero-trust framework:
- Identities
Identify users (whether that is people, services, or devices) then define the access granted to each identity by profiling each identity. You can segment your network and set up systems and devices according to the types of access they allow and the categories of information that they process. - Devices
With the diversity of smartphones, on-site and offsite devices, and cloud networks, there is a huge attack surface area. Therefore, it is imperative you monitor and enforce device health and compliance for secure access. - Applications
Add application inspection technology to your existing firewall controls and ensure technologies are applied to all applications. This ensures apps have appropriate permissions and secure configurations. - Data
All data should be protected to the highest possible levels. This means ensuring data is encrypted, and access is restricted based on identified needs. - Infrastructure
Continuously and holistically protecting against attacks on-premises or in the cloud. - Networks
Establishing controls to segment, monitor, analyse and encrypt end-to-end traffic
If you’d like to learn more, listen to our mini-podcast series where we uncover some fundamental questions about the Zero Trust security model.
