Are we moving towards a world of Zero Trust?
Let’s be clear from the outset; a world of Zero Trust does not infer that we will no longer have any faith in our fellow occupants of planet earth. Rather, it is a buzzword which refers specifically to a technological approach to dealing with cyber attacks launched against corporate networks. And in this context, a “trust no one, trust nothing” approach to security is becoming imperative.
This is especially critical in today’s world of remote working, where employees, business applications and data are becoming ever-more dispersed from the corporate premises, increasing the surface area through which an attack can be launched. Security also has to contend with the proliferation of IoT and smart devices that are now coming onto corporate networks.
The traditional network security model uses the ‘castle and moat’ concept. It assumes that everything inside an organization’s network (the castle walls) should be trusted, that a user’s identity is not compromised and that all users act responsibly and can be trusted. This approach to security is based on a “trust but verify” approach. The problem with this approach is that once an attacker gains access to the network, they have free rein over everything inside. And with so many users, devices and applications on the network, it is hard to know which ones to trust.
This concept is clearly outdated.
Zero-trust access (ZTA) means that no one is trusted by default from inside or outside the network. It focuses on verifying the users and devices that are connecting to the network, confirming their identity and making sure they have just the right amount of access and trust, no matter where they are located.
Let’s look at the main principles underpinning Zero Trust security.
· Ongoing monitoring and validation: a Zero Trust network assumes that attackers exist both inside and outside of the network, so no users or technologies are automatically trusted. Zero Trust verifies user identity and privileges as well as device identity and security, both of which are continuously re-verified.
· Least privilege access: this means giving users only as much access as they need, thus minimising each user’s access to sensitive parts of the network.
· Device access control: Zero Trust places strict controls on any devices accessing the network, monitoring how many different devices are trying to access the network, ensuring that each device is authorised and assessing them to make sure they have not been compromised.
· Micro-segmentation: in order to maintain separate access for separate parts of the network, security perimeters are broken up into small zones. A person or programme with access to one of those zones will not be able to access any of the other zones without separate authorisation.
· Inhibiting lateral movement: ‘lateral movement’ is when an attacker moves within a network after gaining access and can be difficult to detect. Zero Trust is designed to contain attackers so that they cannot move laterally. Furthermore, once their presence is detected, the compromised device or user account can be quarantined and cut off from further access
· Multi-factor authentication (MFA): this is core value of Zero Trust security. It means that more than one piece of evidence is required to authenticate a user; just entering a password is not enough to gain access. For example, in addition to entering a password, users may have to enter a code sent to another device, such as a mobile phone, in order to authenticate their identity.
So, how do you implement Zero Trust security? It may sound complex, but adopting this type of security platform is usually relatively simple, with the right technology partner. If you would like impartial advice on the steps you can take apply a Zero Trust approach to your network security, call me, Paul Hagan, or any member of the High Performance Networks team on 028 9053 8411.