Five key insights into Zero Trust and why it’s important

Originally published on CSOOnline

When it comes to building effective IT security, traditional approaches have tended to resemble the construction of a walled garden. Core systems and data stores are held centrally and protected by a perimeter of firewalls and other security tools. Access is then granted via carefully controlled channels.

Now, with the growth of cloud-based resources and an increasing need for mobile and remote connections, this approach is no longer effective. As a result, more attention is turning to the concept of Zero Trust.

A Zero Trust approach shifts the security focus from the perimeter to individual devices, users, workloads, transactions and data. It allows resources to be deployed as if they were actually exposed to the public internet.

As deployment of Zero Trust initiatives gather steam, there are five key insights that should be considered. They are:

1. Existing security methods are not enough
   It’s no secret that online theft of personal information is getting worse. Despite companies requiring stronger passwords, breaches that use hacked passwords continue to climb in number. Depressingly, cybercriminals often don’t even need to hack passwords as many organisations effectively leave the door unlocked by not having any authentication method in place.
   
   Clearly, we can’t count on usernames and passwords exclusively for authentication or access control, nor can we go back to the old days of perimeter-based security. We need to find a better model that allows users to access applications and data anywhere, and from any device.
   

2. Zero Trust doesn’t mean no one is trusted
   Ask five people to define Zero Trust and you could easily end up with five different answers. Yet, most will agree it’s an approach with the objective of securing an organisation by having less dependence on a perimeter and more reliance on secure access for users to resources, regardless of where they are located. To achieve this, the ‘Zero Trust’ label implies you need to trust no one. However, following a Zero Trust strategy doesn’t mean that you don’t trust anyone, ever. At some point in a cloud-based, mobile device dependent world, trust will be required during the identity verification process. Zero Trust actually means a continuous evaluation of all users to ensure they are who they are claiming to be.
   

3. Confusion over what comprises Zero Trust
   Along with confusion about its definition, there is also confusion around what Zero Trust comprises. Some of the key terms that help to describe this are:
   
   Micro-segmentation - The process of placing security perimeters around small, isolated areas to maintain separate access for different parts of the network. With micro-segmentation, files in a network can be placed in separate, secure zones and a user or program with access to one of those zones won’t be able to access any of the other zones without separate authorisation.
   
   Application behaviour and visibility - One of the benefits of micro-segmentation is the way it enables application security that includes built-in policies that define allowed behaviour. For example, ideation through development occurs in an environment that is isolated from the rest of the network so that any breach of an application will be contained.
   
   Multi-factor Authentication (MFA) - The use of MFA is now widely accepted by consumers. Other forms of authentication, such as biometrics are also emerging to further enhance identity verification.
   
   Least Privilege - This is a principle of IT security that grants only as much access as an end user requires for a particular purpose. It’s a key part of Zero Trust as it is a way of containing or shrinking the perimeter of each individual user and device.
   

4. Your board should care about Zero
   Trust Cybersecurity is becoming an increasingly important strategic concern for many boards. Large companies are falling victim to thieves who steal credentials and other valuable data. The risk cannot be ignored and security must be prioritised. For this reason, Zero Trust adoption is a viable strategy model that can help overcome risk, but does require investment and attention from senior management.
   

5. It’s a complex issue for the public sector
   Zero Trust can be a complicated strategy for any organisation, but for government agencies it’s especially difficult. This is because they often deal with entities or individuals that are administering and managing services on behalf of others.
   
   The delegation model that a Zero Trust infrastructure requires results in complexities that demand extra considerations around processes and technology. Additional checks and balances in the identity verification model must be present to take these variations into account.

Zero Trust has a lot to offer organisations seeking a way to secure their infrastructures while making them available to those requiring access. By understanding what is required and how the components work together, organisations will be able to undertake successful deployments and maintain effective security in a constantly changing world.