Never Trust Anything Again - The Zero Trust World

Uploaded on 2022-05-19 in TECHNOLOGY--Resilience, FREE TO VIEW

It seems everyone is talking about Zero Trust in our data networks, but it is often a goal which cannot be reached, as it depends so much on business needs and user interactions. However, where possible, a Zero Trust strategy can help a business be more secure and avoid costly hacks.

It is a concept that is more relevant and important today than ever, particularly as companies around the world grapple with how to operate, and respond to, the remote working drive and cloud-based services which are taking over. 

Securing the traditional network perimeter (i.e. the moat and castle approach) is no longer sufficient. With the rise of applications being deployed in multi-clouds, and the growing mobile workforce, the network perimeter has all but disappeared.

Even One-Time-Password (OTP) technologies can no longer support diverse networks and connections. True Multi-Factor-Authentication (MFA) has come of age, as required flexibility of authentication is linked to the level of security needed. Hence, the greater the risk to data, the better form of authentication and trust application is needed. Likewise, for an environment which has many tens of thousands of customers, even the most basic of MFA solutions, such as SMS authentication, could be impractical and a barrier to business.

Zero Trust eliminates the idea of a trusted network inside a defined perimeter. Today, you must apply least-privilege user access and scrutinise it as much as possible.  Assume attackers are already hiding in the network and get more context and visibility from the control points.

To enable Zero Trust, organisations must abandon the ‘trust everything, but verify’ approach and adhere to these three principles:

1. Never trust
2. Always verify
3. Continuously monitor

No single vendor can provide a Zero Trust solution, it will require a blended approach to meet the company’s specific business needs. This is where the challenges lie. But what are they?

Zero trust is not a standard, or a specification that vendors can design products and services against. It is an approach to designing an architecture, which means it can be difficult to know what the right thing to do is.

Cost:   As with any infrastructure change, there are usually costs associated with a migration. Both direct and indirect. Direct costs are new products, devices, and services. Indirect costs are the training of support teams in order to learn new processes. 

Disruption:   Moving to a Zero Trust architecture can be a very disruptive exercise. It can take several years to migrate to a fully Zero Trust model, due to the extent of change needed across the enterprise. Defining an end state for a migration is difficult when the model you are aiming for may evolve during the rollout.

Not all products and services are suitable for Zero Trust: Many legacy or fixed process products and services do not fit well with its principles, due to the working practices that surround them. An example is Bring-Your-Own-Device (BYOD) architecture. In this case, it can be difficult to gain a high level of confidence in the status of the devices accessing your services and data, without intruding on the privacy of your user. Another example could be the size of a customer base. If it is too large or diverse it may prevent the identity of working practices needed to ensure a positive trust result.

The temptation for many business leaders is to delay a Zero Trust project because there is no immediate implication for not doing it today, or next quarter. But eventually, it will become a priority because of an attack, or key clients seeing the organisation as a weak link in their supply chain.

If a Zero Trust strategy has not been implemented, it may look like a massive project. Faced with the inevitable limited resources issue, many may struggle to develop a system that works for the individual business needs. Hence, the imperative to start planning now. Businesses should look at their current products for endpoint protection, user authentication and network monitoring and see how they can be manipulated to start the foundation of a Zero Trust policy. From here, any new security solution purchase can be reviewed in light of the Zero Trust plan, ensuring it fits.

Zero Trust provides higher security, from the endpoint through to the application, than traditional approaches. By constantly authenticating and authorising, it's possible to securely enable the mobile workforce, reduce data losses and improving productivity with streamlined access

Colin Tankard is Managing Director at Digital Pathways

You Might Also Read: 

The Frailty Of Email:

 

« A Short History Of Cyber Crime - Part 1- Its Motivations
Conti Attack US Precision Engineering Business »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

RU-CERT

RU-CERT

RU-CERT is the CSIRT / CERT team of the Russian Federation.

Patchstack

Patchstack

Patchstack (formerly WebARX) is a web application security platform, which allows digital agencies and developers to monitor, protect and maintain their websites.

National Agency for Information & Communication Technologies (ANTIC) - Cameroon

National Agency for Information & Communication Technologies (ANTIC) - Cameroon

ANTIC is responsible for regulating the activities of electronic security and regulation of the Internet in Cameroon.

NetDiligence

NetDiligence

NetDiligence is a privately-held cyber risk assessment and data breach services company.

Syhunt Security

Syhunt Security

Syhunt is a leading player in the web application security field, delivering its assessment tools to a range of organizations across the globe.

QOMPLX

QOMPLX

QOMPLX integrate, contextualize, and analyze data from virtually any source to help you identify operational risk and inefficiencies throughout the enterprise.

Grupo CFI

Grupo CFI

Grupo CFI is the largest Spanish network of data protection and cybersecurity professionals.

Ecubel

Ecubel

Ecubel is the market leader in Belgium in buying and selling used IT harware guaranteed by a certified data erasure.

CYBAVO

CYBAVO

CYBAVO is a cryptocurrency security company founded by experts from the cryptocurrency and security industries.

MPC Alliance

MPC Alliance

The mission of the MPC Alliance is to accelerate adoption of MPC (Multi-Party Computation) technology.

Responsible Cyber

Responsible Cyber

Protect yourself with Responsible Cyber’s 360° platform, IMMUNE, arming you with comprehensive support for your business.

NSR

NSR

NSR provide trusted solutions that deliver positive business outcomes for our clients in cybersecurity and data protection challenges.

HALOCK Security Labs

HALOCK Security Labs

HALOCK is an information security consultancy providing both strategic and technical security offerings.

Unciphered

Unciphered

Unciphered was created as the first company providing services for opening locked hardware cryptocurrency wallets.

Systal Technology Solutions

Systal Technology Solutions

Systal is a global managed network and security service and transformation specialist. We help enterprise-level businesses maximise the security and business value of their complex IT infrastructure.

SquareX

SquareX

Squarex secures your online activities without compromising productivity.

TetherView

TetherView

TetherView provides leading virtual desktop and email security technology to help businesses stand up and manage digital workspaces.