Never Trust Anything Again - The Zero Trust World

It seems everyone is talking about Zero Trust in our data networks, but it is often a goal which cannot be reached, as it depends so much on business needs and user interactions. However, where possible, a Zero Trust strategy can help a business be more secure and avoid costly hacks.

It is a concept that is more relevant and important today than ever, particularly as companies around the world grapple with how to operate, and respond to, the remote working drive and cloud-based services which are taking over. 

Securing the traditional network perimeter (i.e. the moat and castle approach) is no longer sufficient. With the rise of applications being deployed in multi-clouds, and the growing mobile workforce, the network perimeter has all but disappeared.

Even One-Time-Password (OTP) technologies can no longer support diverse networks and connections. True Multi-Factor-Authentication (MFA) has come of age, as required flexibility of authentication is linked to the level of security needed. Hence, the greater the risk to data, the better form of authentication and trust application is needed. Likewise, for an environment which has many tens of thousands of customers, even the most basic of MFA solutions, such as SMS authentication, could be impractical and a barrier to business.

Zero Trust eliminates the idea of a trusted network inside a defined perimeter. Today, you must apply least-privilege user access and scrutinise it as much as possible.  Assume attackers are already hiding in the network and get more context and visibility from the control points.

To enable Zero Trust, organisations must abandon the ‘trust everything, but verify’ approach and adhere to these three principles:

1. Never trust
2. Always verify
3. Continuously monitor

No single vendor can provide a Zero Trust solution, it will require a blended approach to meet the company’s specific business needs. This is where the challenges lie. But what are they?

Zero trust is not a standard, or a specification that vendors can design products and services against. It is an approach to designing an architecture, which means it can be difficult to know what the right thing to do is.

Cost:   As with any infrastructure change, there are usually costs associated with a migration. Both direct and indirect. Direct costs are new products, devices, and services. Indirect costs are the training of support teams in order to learn new processes. 

Disruption:   Moving to a Zero Trust architecture can be a very disruptive exercise. It can take several years to migrate to a fully Zero Trust model, due to the extent of change needed across the enterprise. Defining an end state for a migration is difficult when the model you are aiming for may evolve during the rollout.

Not all products and services are suitable for Zero Trust: Many legacy or fixed process products and services do not fit well with its principles, due to the working practices that surround them. An example is Bring-Your-Own-Device (BYOD) architecture. In this case, it can be difficult to gain a high level of confidence in the status of the devices accessing your services and data, without intruding on the privacy of your user. Another example could be the size of a customer base. If it is too large or diverse it may prevent the identity of working practices needed to ensure a positive trust result.

The temptation for many business leaders is to delay a Zero Trust project because there is no immediate implication for not doing it today, or next quarter. But eventually, it will become a priority because of an attack, or key clients seeing the organisation as a weak link in their supply chain.

If a Zero Trust strategy has not been implemented, it may look like a massive project. Faced with the inevitable limited resources issue, many may struggle to develop a system that works for the individual business needs. Hence, the imperative to start planning now. Businesses should look at their current products for endpoint protection, user authentication and network monitoring and see how they can be manipulated to start the foundation of a Zero Trust policy. From here, any new security solution purchase can be reviewed in light of the Zero Trust plan, ensuring it fits.

Zero Trust provides higher security, from the endpoint through to the application, than traditional approaches. By constantly authenticating and authorising, it's possible to securely enable the mobile workforce, reduce data losses and improving productivity with streamlined access

Colin Tankard is Managing Director at Digital Pathways

You Might Also Read: 

The Frailty Of Email:

 

« A Short History Of Cyber Crime - Part 1- Its Motivations
Conti Attack US Precision Engineering Business »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Bob's Business

Bob's Business

Bob's Business adopts a fresh approach to information security awareness and compliance training, delivering key information through the use of short animated movies.

Shavlik Protect

Shavlik Protect

Shavlik Protect is an easy-to-use security software solution that discovers missing patches and deploys them to the entire organization.

CLUSIF

CLUSIF

Clusif is the reference association for digital security in France. Its mission is to promote the exchange of ideas and feedback through working groups, conferences and publications.

Sparta Consulting

Sparta Consulting

Sparta Consulting is an information management and business development full service provider.

CounterCraft

CounterCraft

The CounterCraft Cyber Deception Platform fits seamlessly into existing security strategies and delivers high-end deception for threat hunting and threat detection.

Entel CyberSecure

Entel CyberSecure

Entel CyberSecure is a portfolio of Cybersecurity solutions and services for the protection, defense, risk management and regulatory compliance of ICT Systems for corporations and Government.

Simility

Simility

Simility's multi-layered fraud detection solution uses superior machine learning & device intelligence technology to safeguard your online businesses.

Crayonic

Crayonic

Crayonic digital identity technologies protect and guarantee the identity of people and things.

Arceo

Arceo

Arceo enables insurers and brokers to better assess, underwrite, and manage cyber risks using curated security data for accuracy and AI for advanced risk assessment.

Fiserv

Fiserv

Fiserv offers a wide array of Risk & Compliance solutions to help you prevent losses from fraud and ensure adherence to regulatory and compliance mandates.

Cyber Risk Institute (CRI)

Cyber Risk Institute (CRI)

CRI is a not-for-profit coalition of financial institutions and trade associations working to protect the global economy by enhancing cybersecurity and resiliency through standardization.

Kennedys

Kennedys

Kennedys is a global law firm with expertise in litigation/dispute resolution and advisory services, particularly in the insurance/reinsurance and liability sectors, including cyber risk.

LimaCharlie

LimaCharlie

LimaCharlie gives security teams full control over how they manage their security infrastructure. Get full visibility, build what you want, control your data, get the security capabilities you need.

Microminder Cyber Security

Microminder Cyber Security

Microminder Cyber Security are innovators, advisors, strategists committed to solving your cyber security challenges.

NormCyber

NormCyber

NormCyber provide award-winning cyber security and data protection as a service for midsize organisations.

GeoComply

GeoComply

GeoComply provides fraud prevention and cybersecurity solutions that detect location fraud and help verify a user's true digital identity.