Essentially, Zero Trust architecture trusts no-one. This might sound a little dramatic, but for the way we now work it makes sense.
Very few companies these days exist purely in one location, and with everything stored on-prem. We’re everywhere. Working at home, at client offices, on the train. And we’re using multiple devices to do so. Traditional security architecture is not sufficient to secure the way we now work.
Zero Trust is a term coined by Forrester Research analyst John Kindervag, with the motto being “never trust, always verify”. Kindervag recognised that despite cyber security becoming a focus, there was still an underlying assumption that attacks were only a threat from outside of the organisation.
The idea of Zero Trust is that all users, inside and outside the organisation, are authenticated, authorised, and continuously validated before they are granted access to applications and data.
What came before Zero Trust?
Zero Trust has been around for over a decade now, but there were other security frameworks before this. The most adopted framework was a ‘perimeter-based’ network security model.
Using this model assumed that any user inside the network perimeter was trusted and anything outside not trusted.
With applications moving from on-prem to cloud, remote working and working from more than one device, the ‘perimeter-based’ model is outdated and it doesn’t keep up with how we now work, making businesses vulnerable to attacks.
Should every business be using it?
But we know some organisations put it off because it can sound complex, costly, and time-consuming.
Zero Trust isn’t about scrapping everything you have and starting again. With the right expert support, you can utilise what you have and adapt it to start shaping your Zero Trust model.
It starts with accessing what you have now. Bringing in external support can help bring a holistic view of what you have and where to begin, mapping out the most practical journey to Zero Trust.
Ultimately, businesses who don’t adopt Zero Trust will become an easy target for attackers.
Where do you start?
Identifying what you have already is the best place to start.
Assets, applications, and data
It’s all about identifying what your most critical and valuable assets are, where they sit and how they’re currently protected. Knowing what these are will help create a priority of what needs to be secured first.
Once we know this, it’s on to figuring out who our users are and what they need access to. The word ‘need’ is key here. It’s easy to give blanket access to everyone in the organisation because they’re our employees so we trust them. But Zero Trust is all about not trusting anyone, and that includes everyone inside the organisation.
A key principle of Zero Trust is least-privilege access. What that means is only giving users the access that they need, nothing more, nothing less. Restricting access to minimise the threat risk.
Another point of vulnerability is devices. Gone are the days of working solely on one desktop in the office.
Zero Trust takes this into account by monitoring different devices that attempt to gain access to the network and ensures every device is authorised. Most of us already have some level of this in place because of working from home.
Think of Multi-Factor Authentication (MFA) – that’s a key part of Zero Trust, that you might not even realise. MFA, as the name suggests, requires multiple ways of authentication before granting a user access. It’s a secure way of proving who the user is and if they, and the device they’re on, have the right to gain access.
What to do next?
This is a brief overview of what Zero Trust is, touching on some of the core principles that make it an efficient security framework for modern organisations.
It’s a big concept, and how it will work for your business will completely depend on what you currently have in place.
If you’d like to talk through your current setup and start talking about how Zero Trust could be implemented for your business, get in touch.