— Built-in
CYBERSECURITY is busy. The scale, speed and aggressiveness of cyber attackers continues to grow. For a cyber attack in an organization, it is not a question of ‘if’, but a question of ‘when’. In the new ‘digital normal’, traditional perimeter defenses are no match for the influx of cyber threats coming from all directions. Organizations need to look at cyber security holistically rather than acting sporadically after an attack.
Zero Trust is an evolving set of cybersecurity paradigms toward a more comprehensive information technology security model. It enables organizations to restrict access control to networks, applications and environments without sacrificing performance and user experience. Zero trust is more of a ‘concept’ or ‘idea’ than a specific technology platform. It shifted security from static network-based perimeters to a distinct focus on users, assets, and resources.
It follows zero-trust principles for planning industrial and business infrastructure and workflows. The concept of zero trust is based on the belief that organizations should not automatically trust anything inside or outside the perimeter. It is imperative that you verify anything and everything you attempt to connect to any system before granting access. In short, a trustless approach trusts no one.
Zero trust is a concept
ZERO trust assumes that no implicit trust is granted to any system or user based solely on location or ownership of assets. Authentication and authorization are discrete functions that are performed before a session is established to an enterprise resource. Zero trust protects resources such as accounts, assets, networks, services, workflows, etc. The basic idea of zero trust is simple — ‘assume everything is hostile by default.’
A zero-trust approach relies on different technologies and processes to secure an enterprise’s IT environment. As a result, zero trust requires constant effort. However, the development of trustless security does not imply the implementation of any single technology. Instead, it’s about using technologies and processes to enforce the idea that no one and nothing has access until proven to be trusted.
When designing zero-trust, it is therefore crucial to consider continuous monitoring and validation, identity and access control, least privilege, device access control, zero-trust network access, micro-segmentation, endpoint protection and lateral movement prevention, and multi-factor authentication, etc.
Basic assumptions and principles without trust
ZERO trust is built on the following basic assumptions: the environment is constantly at risk; there are both external and internal threats from start to finish; the location is not sufficient to establish the credibility of the environment; all users, devices and network traffic must be authenticated and authorized; and security policies must be dynamic and calculated based on as many data sources as possible.
Based on the assumptions, the zero trust model is believed to adhere to the following basic principles:
User Authentication: Assess user security based on location, device and behavior to determine if the user is who they claim to be. Then take appropriate measures (such as multi-factor authentication) to ensure user authenticity.
Authenticate devices: Whether corporate devices, BYOD (bring your own devices) or public hosts or laptops or mobile devices, implement access control policies based on device identity and security. Only trusted endpoints are allowed to access company resources.
Restrict access and permissions: If users and devices are authenticated, implement a role-based resource access control model, giving them minimal permissions to complete work at that time.
Adaptive: Disparate sources such as users, their devices and all related activities, produce information consistently and continuously. Leverage machine learning to set context-sensitive access policies and automatically adjust and adapt to policies.
Getting started without trust
TODAY has established the basic concept of zero trust, but how to make different technologies meet the standard remains a difficult question. Sometimes, zero trust misused as a marketing term by various vendors creates considerable confusion. There is no specific technique or technology used to implement trustless security. However, security solutions can help implement the zero-trust principle. When designing a zero-trust model, an organization’s security and IT teams should first focus on answering a few questions:
What are you trying to protect? Who are you trying to protect it from? What are your current user, device, network, application and data security threats and vulnerabilities? Are you able to stop a ransomware attack or data leak? Are insiders capable of stealing your corporate data and how many people have access to sensitive information? Do you already have a zero-trust strategy and a phased implementation plan? Do you enforce a zero-trust policy across the enterprise?
Zero trust is not a project
WHILE there is no single, unified option that can provide cyber defense against all possible cyber threats, any framework will inform how to design a model. Accordingly, the most effective approach is to layer technologies and processes on top of the plan, not the other way around. Organizations can also take a phased approach, starting with either the most critical assets or a test case of non-critical assets, before deploying zero trust broadly. A preliminary maturity assessment can also help identify the stage of an organization’s journey towards implementing zero trust in the enterprise.
Organizations can follow the steps during implementation: form a dedicated team without trust; assess the environment; review available technology; strategically plan integral activities without trust; define operational changes; and implement, rinse and repeat.
Zero trust is a journey
FOR many reasons, the zero-trust initiative fails, e.g. not considering the company wide enough across all identities, failing to shift the mental frame to focus on continuous verification and pursuing this strategy in a fragmented manner. Another point of failure is thinking small and short-term. Non-trust initiatives must have full sponsorship. Support from management and stakeholders is key. A comprehensive zero-trust program requires the participation of multiple departments within the organization.
While no security strategy is 100 percent perfect and cyber attacks or breaches will likely never be eliminated, zero trust is still among the most effective strategies today. Zero trust enables organizations to implement better access control, contain breaches, protect assets and mitigate potential harm. However, it could waste time, effort and resources without a carefully planned architecture and adaptive strategy. Implementing a flexible and dynamic cyber security strategy is vital to becoming cyber resilient.
BM Zahid ul Haque is an information security and cyber digital transformation expert and technology expert.
Comments are closed.