If you’re heard the term Zero Trust in the context of cybersecurity but aren’t sure what it is, this blog will get you up to speed.
Before we explain the concept of Zero Trust, it’s important to understand how and why it has evolved. Let’s dive in.
Traditional security models with a defined network perimeter - much like city walls and a moat around a medieval town - are no longer fit for purpose in modern workplaces. The shift to remote work and a move to the cloud means that the traditional, single perimeter around corporate networks is almost impossible to maintain. Today employees work from various locations often on several devices. And, as cloud computing has been embraced, multiple cloud perimeters have been created.
But it goes beyond perimeter erosion. Cyber threats are becoming alarmingly sophisticated, making traditional defences inadequate. The enemy is no longer just outside your city walls. Basically, each credential is a potential backdoor in the system that might be used by an attacker. Breaches can happen from within, whether intentionally or accidentally. High-profile data breaches have exposed the limitations of conventional security measures.
As cloud computing took hold, a new way of tackling security was needed. John Kindervag, a former Forrester analyst, first proposed the Zero Trust model in 2010 with the aim to prevent data breaches and cyberattacks by minimising the attack surface and reducing the potential for lateral movement within a network. Today the Zero Trust model is security best practice. Yet many business leaders still don’t fully understand what it is.
It’s important to understand that Zero Trust is not another new technology. It is a security model or framework, a different way of thinking about where threats may come from.
Unlike traditional models that trust users and devices within the network perimeter, Zero Trust assumes everyone and everything needs constant verification before they can access resources. It acts as though a breach has already happened, that the network is compromised and that any entity or request could be malicious.
With the core principle of ‘Never trust, always verify’, a Zero Trust model enforces strict policies for every access request or transaction, while still ensuring that employees can get their work done.
While ‘Never Trust, Always Verify’ is the core principle, there are other principles that underpin the model:
Zero Trust grants the minimum level of access needed for each user, device and application, using the concepts of just-enough-access (JEA) and just-in-time (JIT). Every person or non-human entity is only given access to the applications or information that have been approved for them, and only for a certain period of time. For example, if someone is added to a team for a specific project, they may be given access to select files for the duration of that project, but after that, their access is revoked.
A Zero Trust approach divides security perimeters into small zones to maintain separate access. Imagine different departments within an organisation - and possibly even teams within these departments - each having their own security perimeter, so that someone from marketing for example, couldn’t access HR records. This approach enforces granular permissions and segmentation, which limits the exposure of sensitive data and resources and prevents unauthorised access in case the security is compromised.
Even with micro-segmentation, Zero Trust insists on multiple forms of verification before access is granted. This could be an SMS sent to your phone, a password request, or a click on an authenticator app. The challenge for companies is to achieve the right balance between remaining secure without impacting productivity. High performance workplaces that set up an effective Zero Trust strategy hit the sweet spot between these two objectives.
A Zero Trust model implements a real-time monitoring and validation of the security posture at all times. For example, if an employee logs on from London at 9am but then just two hours later, is shown to be logging in from India, an administrator would be alerted that this is a potential risk as it wouldn’t be humanly possible for that person to travel between the two places in the time frame. This automated, constant monitoring ensures potential issues are flagged immediately.
Zero Trust has this enhanced security without impaction the user experience. To do that, Conditional Access is used and involves implementing context-aware access controls and adaptive authentication mechanisms to strike a balance between security and usability.
A Zero Trust approach is not without its challenges, particularly when it comes to set up and integration with existing security products and systems. We will discuss in the next blog in the series. But the benefits far outweigh these. High performance workplaces adopt a Zero Trust model to achieve:
The attack surface in a Zero Trust model is significantly reduced and mitigates the impact of breaches. Even if a hacker gained access to a particular account, if they then try to access another resource, they will have to go through the authentication process, stopping them before they can do any significant damage.
As Zero Trust models provide continuous monitoring, it generates detailed access logs, which facilitate regulatory compliance for data protection. By applying consistent and granular policies, Zero Trust can help with audit requirements and provides confidence that data is accessed securely.
In a bid to boost security, organisations can end up with many security solutions, some of which do the same thing. Zero Trust simplifies the security architecture by eliminating the need for multiple, disparate solutions that are hard to integrate and manage. By using a unified platform and a standardised framework, Zero Trust can lower the operational and capital expenses of security.
Employees need to be able to do their job efficiently and collaboratively from anywhere, without putting the company at risk. Zero Trust enables secure and seamless access to data and applications, regardless of the location, device, or network of the user. By providing a consistent and frictionless experience, Zero Trust improves the productivity and satisfaction of the users.
Read on to discover how to implement a Zero Trust model.
If you want to understand your current security score and how you can move towards a Zero Trust model, request a free one hour envision workshop with SoftwareOne.
If you want to understand your current security score and how you can move towards a Zero Trust model, request a free one hour envision workshop with SoftwareOne.
