The disruptions of recent global events caused many businesses to accelerate their digital transformation at a rapid pace as they looked to continue operations. This rush to migrate to the cloud, and allow employees to work from home, meant that malicious actors could exploit the crises and take advantage of this ill-equipped workforce.
A report by Sophos stated that 70% of organisations saw an increase in phishing and other malware attacks since the start of the pandemic, with government bodies experiencing the most. With this volume of cyber threats, as well as the fact that attacks are becoming more advanced, traditional methods of securing the corporate network aren’t sufficient enough to protect businesses from external, and internal, threats.
Business leaders are therefore caught between needing to still allow staff to access company information and data - both in the office and remotely - and needing to provide, manage, and monitor end-user protection from a distance. As a result, many are adopting 'zero trust' security models.
Traditional security methods work on the theory that all the devices within the network perimeter can be trusted - a ‘castle-and-moat’ strategy - but not only does this leave businesses vulnerable to internal threats, once hackers break through the initial security barrier, it means they have unlimited access to cause chaos.
A zero trust strategy, however, is the concept that no one can be trusted, and that everyone and every device must be verified. So whether employees are working in the office, or at home, ID verification is required for every staff member, and device, trying to access the network.
The model for the concept was first introduced in 2010 by an analyst from Forrester Research, and was initially only utilised by Forrester clients, until Google inspired its adoption within the tech community when it implemented zero trust in 2014.
Now prevalent within the security vendor market, Gartner predicts that by 2025 “60 percent of organisations will embrace Zero Trust as a starting point for security”.
How does a zero trust model differ from regular security methods?
As opposed to the castle-and-moat method, zero trust requires users both inside and outside the network to be continuously authenticated in order to access applications and data. Since the point of infiltration is not usually the attacker’s target, just a way in, zero trust uses multiple methods, including micro-segmentation, multi-factor authentication, and other barriers to prevent, or limit, the access attackers have once they’ve entered the network.
What strategies does a zero trust network model use?
It's a holistic approach that can be built into existing architecture and used across the entire organisation. Here are some tactics organisations can use to limit the access users and endpoints have within their network:
- Least-privilege access: This involves assessing the needs of each user and giving them the least level of access possible, so that resources are only available to those that absolutely need them, rather than open to anyone in the network.
- Identity and access management (IAM): IAM automates the processes of authenticating users and managing the appropriate levels of access for each user. IAM systems will provision users with access based on their role and de-provision employees that leave the company.
- Multi-factor authentication (MFA): This is a core component of an IAM policy that requires the user to supply two or more verification factors, often through one-time passwords (OTPs) sent through SMS, email, or an app.
- Endpoint security technology: The desktops, laptops, tablets, and mobile phones that any employee might use to access corporate resources add to the points of access for an attack and have to be properly secured. As more employees connect through their own devices or Wi-Fi connections, this is especially important.
- Micro-segmentation: This method divides workloads into separate zones and secures them individually, creating more barriers that attackers would have to bypass.
How do you enact a successful zero trust framework?
The tactics listed above will only work, however, if you can continuously monitor and validate a user and their device. Zero-trust enforcement relies on real-time visibility of a user’s identity, endpoint type, login details, and other attributes, and without this visibility, you won’t be able to clearly define policy.
Identity: The digital trust accelerator
Building trust in governments and public sector organisations
You’ll need to identify the most sensitive data, assets, applications, and services (DAAS) and separate this from the rest of the network. Then you’ll want to map out the traffic surrounding this data—how it’s being accessed, where it’s going, and what it’s being used for. Knowing the intent of your organisation’s data is crucial to protecting it, and automated discovery tools can help with understanding this and deciding which data flows are absolutely essential.
Once you know what flows will be allowed and which won’t, you can architect the network to place boundaries between the different flows, creating micro-segments that will require authentication and validation to pass through and will help contain breaches.
Here monitoring comes in again, but this stage is not about defining policy but rather enforcing it. You still need real-time visibility once you’ve implemented a zero trust architecture, only this visibility will be used to ensure continuous compliance.
Automation will be a crucial component of your policy engine to quickly make changes when necessary. The automated system can judge policy change requests that are within defined legitimate parameters and pass along those outside the parameters to actual human eyes, reducing the time you have to devote to maintaining your new zero trust model.
Challenges of zero trust
If the previous section hasn’t already made it clear, adopting a zero trust policy, while extremely beneficial, can be quite complex.
If your intention is to utilise your current infrastructure - which may not have the tools or means for restricting access - your security team will need to build new network segments and limit access to these to users that need them. This takes time, as tweaks are made to fit around the current framework, so you might decide to utilise a security vendor and adopt a platform with a built-in zero trust approach to limit disruptions to workflows.
Once in place, it will also require more user management, from employees to customers to clients and vendors, all with varied levels of access that require different policies. The last thing your business needs is to lock staff out from the data and devices they need to do their jobs for any length of time, which is only going to negatively impact their productivity.
To spread the load, some security administrators may hand over decisions about policy to each department so they can maintain it themselves, but this can create issues with some teams creating too broad policies that leave them vulnerable to attacks.
With rapid growth in the number of devices each user has, the number of applications across a business, and the different ways to store and access data, including the cloud, there are many factors to juggle when building a zero trust framework. But as long as you address the risks associated with the core concept behind zero trust - eliminate implicit trust and validate every interaction - your enterprise will realise significant security improvements, and even cost reductions.
