The notion of trust used to be foundational to any information security strategy and the respective controls embedded within an organisation’s security approach. Typically the concept of ‘trusting’ users meant granting access to those who were expected and allowed to access a specific application or service.
While the departure from mere network security perimeters and trust-based procedures is not necessarily new, it is rapidly advancing. Security professionals realized that granting network-access based on deeming users trusted or untrusted is an unsafe and tedious practice. Increased cloud-computing and Bring-Your-Own-Device behaviours have meant that anyone who needs access to corporate data, such as employees, customers, partners and vendors, are not necessarily operating from company-issued devices. This has made protecting data, as well as managing ‘trusted’ users all the more challenging.
What is Zero Trust?
The escalated adoption of the Zero-Trust approach is a marked shift in the way perimeter defence is thought about and enacted. Rather than assuming the network is being accessed by only authorised individuals, the assumption is that cybercriminals can and possibly already gained a foothold into your systems. Therefore, a user’s location – whether inside or outside your network – is not a deciding factor on the levels of access they have.
A Zero Trust framework revokes trust and instead focuses on verifying the identity of users. This means that user identity is controlled and inspected in a more granular and compartmentalised way. Every account and device that tries to gain network access must first be subjected to multiple levels of verification prior to entry and once authenticated, will then be under a variety of insular controls.
What are the Elements of Zero Trust?
This description may sound familiar. That is because the Zero Trust approach does not necessarily require the adoption of wholly new technologies. Zero Trust can be implemented within your business by combining security controls you may already know and use, such as Identity and Access Management, Multi-Factor Authentication and the Principle of Least Privilege. Because Zero Trust is based on the combination of a variety of security solutions and restrictions, it allows for a dynamic approach to strengthening security measures. Listed below are some examples of Zero Trust architecture elements:
Identity and Access Management (IAM)
IAM (also known as identity management) is a framework that assists IT managers to establish and manage user identity, as well as manage their roles and privileges. It often constitutes the basis of many Zero Trust approaches, as it involves the other elements mentioned below.
It is extremely useful when on-boarding employees or revoking access for departing employees, thereby enabling management across the entire access life cycle. It allows for more flexibility in conjunction with improved security by automating workflows and granting levels of employee access suited to what their role requires and furthermore, in which context they are operating in. This is particularly useful for a dispersed workforce with increased cloud-based operations and Software as a Service (SaaS) applications.
For more information on IAM, please visit this blog post.
Principle of Least Privilege (PoLP)
PoLP is a component of identity management. It involves granting users the minimal level of access needed to carry out their job. Meaning that an individual’s digital identity, and the accounts associated with that identity, are all initially given the minimum permissions to perform activities within any of the company’s applications, devices and networks. A change in permissions is authorised on an as needed basis.
Multi-Factor Authentication (MFA)
MFA is a prevalent method of identity verification. It is an extremely effective way to ensure identities are not being compromised by an unwanted user. MFA relies on the user to authenticate themselves by providing multiple verification factors, such as a password in conjunction with a hardware token, SMS code, voice call or biometric.
MFA is championed as one of the top methods for avoiding poor credential management. It is a crucial part of extending your security perimeters and ensuring that users are acting in the organisation’s best security interest.
Network and Micro-Segmentation
This approach involves splitting the network or data center into secured segments, which can then be carved down to the most granular level with the ability to isolate individual users, devices and applications. This creates attack resilience because each granular node is subject to its own assigned security policies and defence mechanisms 24/7.
Even if a user’s account is compromised, micro-segmentation ensures that the attack surface is reduced. The attacker cannot move laterally within the network or access any data that exists outside of the victim’s or device’s segment. Moreover, damages are minimised because the area that is under attack is more easily dealt with when cut off from the entire network.
This is why you should consider implementing the Zero Trust model:
According to IBM’s Cost of a Data Breach Report 2020, the average cost of a data breach in Australia is just under $3 million, with 57% of breaches caused by malicious attack and 22% caused by human error. Of course, it is not enough to rely on a solely technology-based security perimeter. Effective information security is a well-balanced combination of strategy, mindset and technology.
The Zero Trust framework does just that.
The very architecture of the Zero Trust approach requires users to change their behaviours and adopt security best practices and policy as part of their workflow. It is flexible enough to uphold user productivity while enhancing security. Moreover, it can give your business a competitive advantage by giving clients, vendors and stakeholders assurance that they are protected when accessing your network.
For more information, please contact one of our cybersecurity professionals by clicking below: