Find out what exactly constitutes a zero-trust approach and the best practice when it comes to switching to this model in your cyber security practices.
Zero-trust cyber security used to be a novel concept – one held with a certain degree of scepticism. However, recent research by IDG found that 21 percent of organisations have already implemented a zero-trust model, and 63 percent said that they plan to do so over the next 12 months.
It’s clear that when it comes to IT security, zero trust is now closer to the rule rather than the exception.
In this blog, we’ll take a look at what exactly constitutes a zero-trust approach and look at the best practice when it comes to switching to this model in your cyber security practices.
In the zero trust model, all users and devices – whether inside the corporate network or not – are deemed untrustworthy. Access is granted based on an evaluation of the risk associated with each request.
You can read our earlier blog with more details about what zero trust is and whether or not your organisation should be implementing it here. However, this blog will focus on six tips for implementing zero trust effectively.
Identity is the best starting point for zero trust. Using identity as the control enables you to treat every single access request as untrusted until the user, device and other factors are verified.
To qualify access based on these factors, you will need to implement new identity and access controls. Strengthen credentials with strong passwords and multi-factor authentication for users. Introduce access policies which to determine whether to allow, restrict or block access to particular resources based on credentials.
Micro-segmentation is useful for controlling the available attack surface in on-premises and legacy environments. It is an essential part of breach containment in this type of environment.
While you begin transitioning to a zero-trust approach, it is important that you maintain existing security solutions. You don’t want to reintroduce risks as you make the switch. For this reason, it is a good idea to maintain your existing firewalls and network protections while implementing your new identity and access control solutions.
An effective way to reduce your attack surface is to introduce a policy of least privilege. You can read our blog about a least privilege approach and why its ideally suited to a zero trust security model here.
Limit which users have access to the data and systems which represent your organisational “crown jewels”. By limiting how users access apps and resources in this way, you can reduce the impact of compromised credentials.
At a minimum, you will want to implement solutions for Endpoint Management Solutions (EMS), endpoint detection and response (EDR), email security and managed detection and response (MDR). It is also useful to add monitoring solutions to your cyber security infrastructure. We like Bitdefender for MDR and EDR.
When you implement a zero-trust approach, monitoring your environment does become more important. For smaller organisations or organisations which do not have staff with the appropriate skills inhouse, you will probably need to work with a cyber-security partner to monitor your environment proactively.
When you are implementing any change, communication is important. Involve staff in the transition, both in terms of explaining how the IT service they receive might change (such as through the introduction of new multi-factor authentication systems or new rules around passwords) and in helping them to identify and report any suspicious activity or potential security threats.
You staff are always your first line of defence when it comes to IT security, so educate them to make the right choices and stay informed and make it easy and comfortable for them to report incidents, including incidents which they might perceive as their fault.
For more advice or help with cyber security issues, including implementing a zero-trust approach at your organisation, please get in touch with the Grant McGregor team.
Call us: 0808 164 4142
Message us: www.grantmcgregor.co.uk/contact-us
You can find more advice about zero trust and other cyber-security topics elsewhere on our blog:
• Discover how zero trust is reflected in the new changes to Cyber Essentials for 2023