In today’s era of evolving business models, it is important to look at all the different ways your organisation will be affected. Organisations that believe their current security systems are infallible based on using firewall security may find out to their detriment this is not the case.
The rise in cybercrime and the shift to more remote working than ever before is creating the perfect storm for companies to face increased security issues. This is where a zero trust strategy is an essential security feature, allowing organisations to create security solutions that take into consideration their increasingly mobile and remote workforce.
The zero trust security model was created by John Kindervag, one time vice principal of Forrester Research. The model was developed in response to the growing threat of cyberattacks and espionage faced by organizations in the 21st century.
Traditional legacy security solutions work under the assumption everything inside an organisation’s network is trustworthy. Zero trust takes the opposite approach, assuming any user with access to the internal network, or inside the security perimeter, is capable of malicious intent.
We look at what zero trust is and what strategies it engages to keep your organisation safe.
What is zero trust?
Traditional approaches to security attempt to force all users and assets onto a secure network. This model of security for all intents and purposes assumes if a user has been granted access, they are not a threat.
Zero trust focuses on the importance of “never trust, always verify”. This means that, in order to protect against risk, all users and devices requesting to connect to the network are treated as untrustworthy or hostile until they’re verified and approved.
When a user initially logs in, a lot of information is collected by the system – including location, device security, and what service they are from. This is done so that decisions can be made on whether to trust them.
How does zero trust work?
Rather than look at zero trust as a single technology solution, it’s more helpful to understand it as a holistic strategy approach, one that incorporates a number of different technologies and principals.
Since the 1990s, companies have built network architecture to secure inside a network, creating a security “perimeter”. This is based on the castle-and-moat security concept, where it’s hard to get access from outside, but everyone inside is trusted by default.
However, once users are able to access the network, they’re free to move around within that system and access any data that’s not restricted to them. In the case of malicious insiders or cyberattackers, they may be able to find work arounds to access restricted data inside the perimeter, resulting in data breaches or ransomware attacks.
Today, many users, devices, and services are actually operating outside the security perimeter of an organisation. Consider the recent shift to remote working and the sheer number of employees accessing their business network via remote services on unsecured connections. Data is also not stored all in one place, as it can be spread across cloud vendors, making it more difficult to ensure security for an entire network with a single security control.
Zero trust uses combinations of controls and technology strategies to limit the reach of a potential breach. These include end-to-end encryption, multi factor authentication, and network segmentation. Zero trust treats all traffic in and outside the perimeter as hostile.
Users are also accessing their most important work tools from anywhere – in coffee shops, in offices, and even out in the field. With a zero trust model, you need to make sure that devices can’t be compromised, or the network access limited.
What are the key principles behind zero trust?
There are a number of key principles that are required to ensure the trust architecture is one that benefits your organisation.
Continuous monitoring and validation
The main idea behind the zero trust network is that users and machines can’t be trusted – attackers can be both inside and outside your network.
Zero trust checks the identity and privileges of your employees and their devices. It will periodically check again, to make sure they are genuine. This means that if somebody tries to get in or hack the system, they will be kicked out (or the connection dropped).
Least privilege access is another key tenet of zero trust security. This means granting each user information on what they need, like an army general giving soldiers information on a need-to-know basis. This helps limit the risk that users will be exposed to sensitive data while maintaining their efficiency.
Implementing least privilege requires detailed management of user permissions. Virtual private networks (VPN) are not commonly used for this sort of approach. Connecting to a VPN with logging in means the user gains access to the whole network that the VPN provides.
Device access control
One of the most important aspects of the zero trust model is it requires strict controls for device access.
When you think of zero trust security, it’s important to take into account that today’s world is drastically different from the passive networks of the past. Today, security systems need to monitor how many devices are trying to gain access to your network and assess each device for any signs of tampering or intrusion.
Decreasing the size of the attack surface is another strategy zero trust employs, called micro-segmentation. Breaking up the network into smaller segments creates separate access for different sectors of the network. Files that are housed in one single data centre can be micro segmented which creates multiple separate zones. If one zone is accessed, the other zones are still kept private, preventing an unauthorised person from accessing sensitive data.
Preventing lateral movement
Once an attacker gains access to a network they can move about wherever they please, known as lateral movement. Zero trust networks contain attackers so they can’t move laterally. Periodically, access within the network is required to be re-established, so an attacker can be contained in one microsegment and then cut off from the device or account they compromised before any more damage is done.
In a castle-and-moat model, if lateral movement is possible for the attacker, quarantining the original compromised device or user has little to no effect, since the attacker will already have reached other parts of your network.
Multi-factor authentication (MFA)
Multi-factor authentication (MFA) is another important principal of zero trust security. MFA means requiring more than one piece of evidence to authenticate a user, not just a single password to gain access. Many apps are now using MFA, requiring users to have two types of identity to log in. This can be a password and a code that is sent to another device, which is required after logging in.
Benefits of zero trust security model
The biggest incentive for organisations to implement zero trust strategies is to avoid becoming part of the following statistics:
- Cybercrime currently costs the Australian economy $3.5 billion each year
- The average cost to businesses is $29 million annually and $276,000 per business
Worldwide spending on security products and services is ever increasing. A zero trust architecture might be able to deal with common cybersecurity risks better than other approaches. With analytics like anomaly detection, machine learning, AI and real-time data inventory and cataloging companies can gain broader, real-time visibility into their threat landscape.
Zero trust may sound complex but adopting this security model can be simple with the right technology partner. Contact Lindentech’s security experts to find out how they can help.