“Zero Trust” is one of the latest IT phrases to be bandied about, but what does it mean? And is it something your organisation needs to be thinking about?
Zero Trust is a model for IT security. Although it is not a new concept, there is an increasing amount of attention on it. This is because it is particularly suitable for cloud computing and remote working. Plus, as the model has become prevalent, an increasing number of systems are now designed and available to support it.
The term Zero Trust was coined by John Kindervag(1), a former Forrester research analyst, in 2010. It is based on the motto “never trust, always verify”.
Zero Trust is a security concept that requires all users to be authenticated and authorised. This applies even to users inside the organisation's enterprise network.
The policing of such a model relies on systems being in place that can validate the users’ security configuration and posture on a continuous basis, before granting them access to applications and data.
The traditional approach to IT security placed firewalls on the perimeter of a company network and, once users are logged into the network, automatically trusted them. This puts the organisation at risk from the exploits of malicious internal actors. In addition, if an external actor does gain access to the network, there are few further checks in place to limit their movement within and across the network.
The old model is made even less effective by the changes that are happening in IT right now. Today, companies are increasing the number of endpoints within their network (adding mobile and IoT devices, which might not be as secure as traditional infrastructure) and expanding out into cloud-based activities and servers.
These trends make the concept of a “perimeter” much more complex.
Now, the sudden move to remote working that has taken place over the last twelve months has made the notion of perimeter almost redundant. This makes it very timely to consider adopting a Zero Trust approach if you haven’t already done so.
Moving to a Zero Trust model requires a rethink about systems and policies.
Policies that are essential to a Zero Trust approach:
• Create a directory of all assets and map the transaction flows
• Create micro-perimeters within the network to restrict and prevent lateral movement
• Ensure the most critical assets are given the highest level of security
• Implement a “least privilege” access policy for all users and endpoints
• Require multi-factor authentication of users
• Monitor access to and movement across the network; create alarms around suspicious activity, so you can investigate and take remedial action quickly
• Create a company password policy not just for users but for equipment & websites too
To implement these policies, you may also need to change the security technologies you deploy.
Technologies required to follow a Zero Trust approach include:
• Identity and access management (IAM)
• Next-generation endpoint security (monitoring, detection and management)
• Real-time network monitoring tools and reporting
Not all network resources and applications are ready for a Zero Trust approach. The combination of cloud and legacy infrastructure can make finding a suitable security model much more complicated.
If you are using legacy apps and cloud apps, a hybrid approach might be necessary initially. This inevitably raises complexity and cost and can result in an inconsistent user experience. Understanding what is going to be the best approach for your organisation will require a detailed understanding of your network, applications, endpoints and policies. This way, you can decide whether Zero Trust is the right approach for your organisation.
If you’d like to know more about how to implement a Zero Trust approach, Microsoft resources include a Zero Trust business plan(2) which is a worthwhile read.
Furthermore, the National Cyber Security Centre(3) includes a number of resources on its website, including a list of ten Zero Trust architecture principles:
• Know your architecture including users, devices, and services
• Create a single strong user identity
• Create a strong device identity
• Authenticate everywhere
• Know the health of your devices and services
• Focus your monitoring on devices and services
• Set policies according to value of the service or data
• Control access to your services and data
• Don’t trust the network, including the local network
• Choose services designed for zero trust
Grant McGregor is on hand to assist with any queries you might have about cyber security, including assessing whether adopting the Zero Trust model is right for your organisation.
Grab our handy infographic primer to Zero Trust – containing the vital info you need: