If you’ve been watching the headlines at all, you’d know zero-trust security is the new hot framework. But it’s not new. In fact, it has been talked about for over a decade. But with the buzz around this framework, you’re probably wondering if it’s a direction your team should be moving in. In this guide to Zero Trust security, we’ll explore what it is in practice and how it works. We’ll help you to understand what it’s based on and how you can use it to benefit your organisation. Lastly, we’ll help you plan your rollout by prioritising your more valuable resources first to get the most from a zero-trust plan on day one.
At its core, Zero Trust assumes that NO ONE is an authorised user. It takes the stance that every single device must be continually validated to maintain its data access. And it assumes that no network edge exists, and every single connection could become compromised at any moment. Because of this, it is becoming the standard for hybrid working environments. A zero-trust environment pushes each connection for regular authentication and authorisation in line with the established security protocols. It was created by a Forrester Research alum in 2010 – John Kindervag – and now it’s the big thing in cybersecurity frameworks.
Zero trust largely came about in response to digital working. According to Crowdstrike, it uniquely addresses the modern challenges of today’s business, including securing remote workers, hybrid cloud environments, and ransomware threats. While many vendors have tried to create their own definitions of Zero Trust, there are several standards from recognised organisations that can help you align Zero Trust with your company. NIST is one of them.
Zero tolerance is so attractive because it inherently helps you meet the robust cybersecurity standards that we need now. While this framework isn’t legally required, it represents the best-in-class standard to managing cyber security risk. It builds on other guidance and the NIST Framework that includes its components of core, implementation, and profiles to help most organisations approach online security in a measured way. Part of managing that risk will be to ensure every data-accessing device & application is approved and regularly validated for those purposes. That’s where Zero Trust can support. And you can read the official NIST guidance here.
As we said before, Zero Trust assumes that every device or connection is a potential threat. So, a zero-trust solution will contain the ability to create, enforce and review policy-based controls. That’s a core requirement. And those controls need to allow for smart tech to automatically contain threats when that trust level drops. To enable that, you’ll need to be able to configure and receive alerts, reports and logs related to potential threats. That will overall enhance your access security and eliminate the attack points that bad actors will have over your environment. Lastly, your zero-trust system will need to continually monitor devices, components, users and connections within your infrastructure. It will essentially be pinging them regularly to make sure the authorisation is intact.
The crime stats speak volumes. Cybercrime Magazine has the stark warning that if it were measured as a country, then cybercrime — which is predicted to inflict damages totalling $6 trillion USD globally in 2021 — would be the world’s third-largest economy after the U.S. and China. Cybersecurity Ventures expects global cybercrime costs to grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015. So, it makes sense that with all the remote workforces, hybrid structures and new self-employed home-based workers that this activity is set to ramp up. But you can prevent yourself from becoming a statistic by adopting an aggressive Zero Trust security policy.
The core pillars of Zero Trust architecture can be summarised as:
- Everything that accesses your data and that data itself are resources owned by you, even if it’s a BYOD environment.
- All comms should meet the same standard of security regarding their origin point. The same authentication and encryption are used within the network and outside of it and no one is presumed safe.
- Access to resources is on a per-connection and per-request basis. Access once to one thing doesn’t mean access always to all things. It doesn’t even mean access twice.
- The system itself and its user identity together determine if access is granted at that time and to that request only.
- All systems are monitored, patched and fixed in real-time with vulnerable systems denied access immediately.
- A cycle of access is used to require regular authorisation and continuous monitoring of threats with regular re-authentication at intervals.
In short, these tenets all serve the core goal of making access control enforcement granular enough to eliminate unauthorised access. Your implementation partner can support you to ensure whatever framework you put in place adheres to these pillars.
When you move to Zero Trust, you can detect core threats faster. These include:
- Phishing attacks on employees
- Keylogger installations
- Suspicious movement within the network
- Corporate machine compromise via shell to a service
- Changes to application privileges
- Individual workstation access
- Lost or stolen passwords
- Data export via applications or their hosts
- Lost or stolen credentials for databases
- Duplicate or network-wide user passwords
- System-hogging applications
There’s also a cost-benefit too. Fully deployed zero trust saved companies 43% on data breach costs. Organisations that didn’t have zero trust as part of their cybersecurity strategies suffered a cost of $5.04 million per breach. For [organisations] with fully deployed zero trust, the average cost of breach dropped to $3.28 million. And you should always assume you will or already have been breached. It’s likely to change your approach to cybersecurity and apply the urgency that it truly deserves as a bonafide risk to your operation.
It’s not enough to secure your connection within a single workplace and call it done. Zero Trust is an ethos that covers the use cases of workplace, workloads, and workforce. We’ll explain in more detail below:
- Workforce– This is where you’re requiring strong and frequent authentication of user identity. Here you’re giving devices and users the smallest amount of access they need to do their jobs. And you’re also conducting a thorough and regular verification of the devices each user is connecting with. Should anything flag up as concerning, all access is immediately shut down.
- Workloads– In this situation, we’re removing the presumed trust across work applications. This applies when they talk to each other, to our users and to the infrastructure. In a zero-trust environment, apps are monitored in real-time to ensure they’re acting in a normal fashion. And if a threat appears, their access is revoked immediately.
- Workplace– For this application, take everything related to your infrastructure from routers to your supply chain and paint it with a zero-trust brush. Don’t allow any suppliers, BYOD, guest access, routine updates, patches or any other network changes to go through without robust and regular authentication and permission provisioning.
In Zero Trust, one of the first steps is the identification of the network’s most critical and valuable data, assets, applications, and services. This helps prioritise where to start and enables the creation of Zero Trust security policies. By identifying the most critical assets, organisations can focus efforts on [prioritising] and protecting those assets as part of their Zero Trust journey.” So, think about what data your business couldn’t afford to lose. This might be intellectual property or client records. Chances are this data exists in more than one place and is accessed by many different people and for many different reasons. You’ll want to map this web of interconnectivity as accurately as possible. That’s your starting point. The higher value you assign, the more critical that node is.
Remember, when you’re applying Zero Trust to protect your crown jewels, you’re going to do that holistically. It’s not about limiting device access or monitoring your applications alone. It’s about a complete lockdown on access and access levels. To do this efficiently, you’re going to need support. An expert implementation partner will help you to first map out your risks and the high-value data you need to protect. Together, you’ll agree on where to start. (That will usually be with your most important data or resource.) Then, they’ll help you to roll out a complete security solution that provisions for zero-trust across your infrastructure, users, and applications. This package should include real-time authentication, encryption, monitoring, and rule-based access limitations that you can implement from day one to get the fastest return on your new Zero Trust policies.
If you’d like to discuss your unique environment, reach out to one of our helpful team members today for a bespoke assessment of your needs.