What is Zero Trust?

The pandemic upended a lot of things in the business world, but one thing it accelerated was remote access. More staff than ever before worked from home and systems and platforms like Zoom got the kind of attention and publicity money can't buy.

Organizations both large and small scrambled to migrate applications and data to the cloud, embracing the hybrid cloud model so we could access work from our home devices. The remote worker age finally arrived en masse.

However, some platforms simply hadn't been built for the new threat landscape and were left scrambling to patch vulnerabilities even as users and data generation skyrocketed. Since then, cyber attacks have risen sharply. During the first quarter of 2024, a report by security provider Check Point Research recorded a 28% surge in the number of cyber attacks compared to the previous quarter.

It's not just an issue of inadequately secured software; it's clear that that user education often falls short. A report published by WEC in 2022 found that 95% of cyber security incidents were the result of 'human error', with weak passwords, sharing work devices with family and friends, smartphones that aren't locked by default, and other unsafe behaviors still rife.

So along with giving workers the flexibility they now demanded, organizations needed to work harder than ever to fortify their domains and networks, and the devices that access them, against breaches. This had led to a rise in the so-called Zero Trust model, a paradigm change that might finally secure the remote work age.

How Zero Trust works

The old methodology – castle and moat security – assumed that all devices and applications inside the network perimeter were trusted in perpetuity as long as they'd been onboarded according to security protocols. But security analysts and providers were saying as long ago as 2022 such an approach had no place in a remote work, cloud-enabled world.

Zero Trust means exactly what it says – every request from an application, device, human operator, or process is treated with suspicion and blocked until it can be proven to be trustworthy. It's also built on the awareness that the point of infiltration is only the doorway, not the target. That means it has multiple verification methods like two-factor authentication (2FA) or micro-segmentation for users or processes even after they've logged in.

This also prevents attackers from carrying out lateral attacks, spreading throughout a victim’s network, after gaining initial access.

Zero Trust is catching on fast as a security model. The market is expected to be worth over $82.45 billion (£63 billion) by 2030, according to Grand View Research data, with small and medium-sized enterprises (SMEs) projected to drive the most growth in this area.

What strategies does a Zero Trust network model use?

One of Zero Trust's selling points is that it can be built into existing architectures by deploying systems and safeguards such as:

Least Privilege

The principle of Least Privilege states that users, systems, and processes should be granted access only to those resources necessary to to perform their job function. Any time a user requests access to an application, process, data store, or domain, the request is judged against what is necessary for their role. Least privilege goes hand in hand with Zero Trust, building on that idea that access is blocked by default and only granted if a clear and valid reason is given.

Identity and access management (IAM)

IAM automates the processes of authenticating users and managing the appropriate levels of access for each user. IAM systems will provision users with access based on their role and de-provision employees who leave the company. This is often the workhorse behind a Zero Trust system, and the mechanism by which Least Privilege is enforced.

Multi-factor authentication (MFA)

Also very common in the consumer world, especially when logging in to sensitive accounts like finance, government, or health records, 2FA or MFA is simply making the user confirm an access request through an unrelated network vector like getting a code via SMS or email. This simply increases the robustness of an organization's authentication process, and makes it more likely that the person requesting access is who they say they are.

Endpoint security

Even before we started working from home, bring your own device (BYOD) was a popular methodology. The endpoints that workers use to access company information – whether their own or company-supplied – need to be properly secured with endpoint security software. This is usually achieved with endpoint detection and response (EDR) software, which is capable of monitoring devices, flagging any vulnerabilities, and automatically responding to threats.

Segmentation

Although common in other security models, segmentation plays a pivotal role in supporting the other strategies listed above and mitigating the impact of any breach. This method divides workloads into separate zones and secures them individually, creating more barriers that attackers would have to bypass. This is critical for ensuring that, should a breach occur, an attacker is unable to easily move between systems or user accounts.

How do you enact Zero Trust in an organization?

There is no one-size fits all process for implementing Zero Trust, although most resources will suggest following a broad approach of:

1. Define your attack surface

2. Implement security controls

3. Architect your Zero Trust network

4. Create policies that enforce Zero Trust

5. Monitor and audit

Start by identifying your most sensitive information and silo it somewhere separate from everything else – automated discovery tools can help you decide which data flows are absolutely essential. 

Next, create a map of the surrounding traffic so you know how it will be accessed, used and shared.

You can then architect your network and data structures into micro-segments that each need their own Zero Trust security verification to allow process and requests through.

Once your controls are in place, you need to support these with clear security policies. These are critical for ensuring employees follow correct procedures and that Zero Trust is enforced consistently across the enterprise.

Finally, the process of monitoring can begin, allowing you to assess how effective the approach has been implemented, and whether system performance or workflows have been adversely effected. Changes may need to be implemented following an audit.

If that all sounds complicated and unwieldy for users, the beauty is much of the verification can be automated, all working in the background and notifying human operators only when a request access isn't verified.

The challenges of implementing Zero Trust

Like all new technology approaches, Zero Trust can be complex and will seldom be cheap – although it will be far more cost effective than the average cost of a data breach, which IBM put at $4.45 million last year. That's before considering the intangible, and possibly far more expensive, blow to the trustworthiness of your brand.

It's possible to install Zero Trust in current generation architectures, but the IT team might have to purpose build segments into the network to establish access points. Do your sums and you might find it more cost effective to engage a security vendor and migrate to a new architecture with Zero Trust already built in.

You should also plan for a period of time post-implementation to allow for staff training, and potentially some customer education. While nobody wants their security landscape to be onerous and irritating, you have to get people used to new user management, even if it's convincing them that two-factor authentication is necessary.

Staff are now enjoying a mix of working from the office and home and many companies feel confident that they finally have their security architecture sorted out. The thought of adopting a whole new cyber security philosophy that will only cost more money may seem daunting, but since the costs of cyber crime are expected to rise to $10.5 trillion next year, can you afford not to?