When it comes to cyber security, building a wall around your business is no longer the best way to stay secure. With ever more devices accessing corporate data and a blurring of borders in what constitutes a network perimeter thanks to cloud computing, the potential access points for a malicious actor to enter and move around the corporate network have grown.
This is why the zero trust approach to security has become increasingly popular within the enterprise space. It’s a change of mindset as much as a technological one, where you assume that all application access is potentially dangerous to your business.
In essence, you are asking more questions of those who access your data and where they are accessing it from. Why do they want to access particular applications and how are they connecting to them? Is this normal behavior for them, or someone in a similar role? They may be an employee, but that doesn’t mean they should have unfettered access to all the company’s data and applications just because they managed to log into the corporate network correctly.
Hence the principles of zero trust focus on devices, networks, and, yes, users. The human element can be intentional – in the form of a classic insider threat, such as a disgruntled employee – or accidental, through human error.
Misconfigured servers, crackable passwords, and unencrypted files; the ways in which business data can be leaked and breached are often internal errors. Simple mistakes can lead to major security incidents and possibly even financial penalties.
Much of this can be greatly reduced by implementing the more pragmatic approach of constantly monitoring systems and the people and devices who use them.
Leave the castle and moat behind
In traditional network security, it was outsiders who were treated with suspicion leaving insiders with virtually free access following an initial successful login. This is known as the ‘castle and moat’ model of network security; the castle is the network and the moat is the network’s perimeter which outsiders were not able to get across.
The problem now is that most companies keep their data in multiple locations, like cloud services, third-party servers, or on-premises data centers. This means a business is potentially vulnerable to attacks and data breaches from different locations. As such, the once reliable castle and moat model can’t hold up to this new reality.
Another area that has stretched the boundaries of the network is hybrid working. Not only do many organizations now have a more dispersed workforce, but they also have new members of staff onboarding remotely, executives and knowledge workers connecting from other countries, and third-party services potentially storing and transferring business data between geographical regions. Our attack surfaces have never been larger and it’s a clear contributor to the increasing reports of cyber attacks and data breaches that plague all types of business.
Never trust, always verify
Zero trust is a cyber security philosophy that has grown up in the face of these issues. It is a strategic approach to the implementation and design of IT systems based on the concept of ‘never trust, always verify’. In practice, it means that users and devices should not be trusted by default, regardless of whether they are connected to the organization's network or have already been verified previously. The reason for this is to make sure the person is who they say they are but also to verify the device they are using – the latter is key to maintaining security as the device is checked for compliance or whether it has any unauthorized software that could compromise the network.
This type of architecture works by establishing strong identity verification, validating the compliance of a device before granting access, and also ensuring least privilege access to only resources that have been explicitly authorized. If for example, you have an employee working from a public Wi-Fi, or a place they don’t usually work from, they may be subject to more verification than usual, or cut off from more sensitive parts of the network.
It’s as much a cultural change as it is any technology adoption and one that needs to be maintained long beyond implementation to keep up with changes in an organization’s IT estate or business strategy. New procedures will need to be developed to keep track of changing systems and workflows, stress testing new hardware and software, regular training for members of staff. Having plans and procedures in place to monitor and maintain zero trust, across the organization, can even offer a better understanding of its operation and highlight opportunities for improvement and growth.
Zero Trust architectures work by using a few basic principles, such as least-privilege access. This is where the bare minimum of access is granted to users, taking away the assumption of trust, even on your own staff, which could be abused by a malicious actor, whether internal or external. It also includes multi-factor authentication (MFA) where users are required to provide more than one form of identification to access their work devices and corporate accounts, providing additional evidence that they are who they claim to be.
How this is implemented will differ for each company as their size, operation, and budget will dictate which services they can use. For example, each device will need to be traced and managed with remote access software so that the right person gets the right access privileges. This can be a challenge for a small company that has data residing in multiple places and personnel spread across different locations.
All of these variables, the significant shift in how cyber security is thought of and implemented, and the need for constant monitoring and adaptation can make getting started with zero trust a daunting task. No matter how far an organization is on its zero trust journey, BT security advisory services can help plan and tailor their approach in line with their business needs.
This includes advisory services for cloud infrastructure, advice on shoring up security across the network, and best practices for protecting both users and data. BT also offers 24-hour online support with experienced technicians and an extensive portfolio of IT services. What’s more, its Managed Cloud Security service offers a single, central portal to manage policies, find access reports, and monitor the entire network.
BT also maintains its relationship with customers as part of its ongoing security journey and gives them access to leading cloud-based security providers, such as Zscaler and Cisco. This opens up a wealth of industry experience and even more services to help businesses stay on top of their security needs.
