What is zero trust security
Zero trust is a strategic approach to cybersecurity. It helps to keep companies, and their digital assets, safer by removing the assumption that anyone who has successfully accessed a network or system is trustworthy. Zero trust takes a “never trust, always verify” approach to security. The approach may sound a bit extreme, but operating this way can save companies thousands or even millions of dollars.
Zero trust security requires a strict identity verification for every person and device trying to access a network or resources, regardless of whether they have already entered the network perimeter. Now that more employees are working from home, companies are looking into how they can shift attitudes and practices regarding online security.
How is the zero trust model different?
It used to be that once someone had entered a platform or network, they were given the freedom to move about without having to offer any additional verification. It can help to think about traditional IT network security as a kind of castle-and-moat setup. If you’ve gotten past the moat, there’s no reason to question you when you’re in the castle. The problem with this approach is that if a criminal does somehow manage to access the castle, they have free rein to do or take whatever they want.
This vulnerability is exacerbated for companies that have their data in multiple places. Today, digital assets are often spread across cloud vendors which makes it more difficult to keep watch of everything. Similarly, organizations that have adopted a hybrid workplace can no longer see who’s currently using the network. As such, zero trust makes sense for current work realities.
Zero trust is different because even when people have passed the moat and are inside the castle, they’ll be asked to verify that they have permission to be there. Verification is required when someone is trying to go upstairs, again when they want to get into the kitchen, and an additional time when they try to enter the meeting room. All systems, code and users must request access to the data and resources that they need. Then, decisions are made on a case-by-case basis. Access may be granted or denied.
Another principle of zero trust security is least privilege access. This means that users only have access to what they need, and nothing more. Additional accesses can always be granted if something changes and an individual needs access to more sensitive materials. Implementing least privilege involves careful management of user permissions. VPNs, which many companies taking the hybrid approach are using now, are generally not well-suited for least-privilege access because logging in to a VPN gives users access to the entire connected network.
How does zero trust architecture work?
A comprehensive zero trust approach considers users, applications and infrastructure.
Users – The first component of any zero trust approach requires strong, frequent authentication of user identity, the application of least access policies, and verification of user device integrity. Not everyone will be happy about the switch to a zero trust strategy since it can be inconvenient. However, getting your team used to new security habits now will help the company uphold this new approach in the long run.
Applying zero trust to applications removes the implicit trust with certain components of applications when they communicate with each other. A fundamental concept of zero trust is that applications shouldn’t be trusted and continuous monitoring is necessary to validate behavior.
Everything from routers, to cloud storage, to supply chain—must be monitored using the zero trust approach. When your team already understands this, they are far less likely to take actions that would allow cybercriminals to penetrate the infrastructure.
A concrete example of zero-trust security looks something like this: An employee arrives at their downtown office. When they enter the mid-rise tower, they are required to show an ID and employee badge to the person at the front desk in order to proceed to the elevators. They get to their desk, turn on their monitor, and complete a multi-factor authentication process before they can look over their email and access programs. They need to get some hardware that’s stored in a badge-protected space. They use the badge to access the item that they need.
As you can see, it asks employees to do a bit of extra work, but the protection that it offers companies is well worth the extra time spent. To make this approach truly effective, staff must see the value in zero-trust, and proactively report suspicious activity or people.
How does a company begin to build this type of system?
To build zero-trust architecture, leaders must have or develop visibility into their environment and infrastructure. They need to know where their data is, how it’s being used, and who is interacting with it.
The most common obstacles that companies encounter when trying to implement a zero trust framework are:
- Lack of data classification and segmentation
- Availability of resources
Some of these roadblocks are harder to overcome than others. Finances, for example, may limit what companies can do right away. However, with zero-trust gaining popularity, there are more resources and options available to help businesses implement stronger security measures.
One step that virtually anyone can take for free is to implement multi-factor authentication (MFA). Sometimes referred to as two-factor authentication, or 2FA, this process requires more than one piece of proof to authenticate a user. Let’s say you are logging into your email. You enter your email address and password. Provided the password is correct, you will then receive a code via text, or be asked to access a code using an authenticator app. You will be prompted to enter the code on the email platform. Once the two steps have been completed (correctly) you will be granted access to your email. This process adds an additional layer of security even if someone manages to get a hold of your password.
2FA is available through email platforms, communication and collaboration platforms, and even security apps like Patrol Points. The fact that so many systems offer this option is indicative of the relevance of zero trust security. It’s not just for large corporations or tech companies, it’s for any employer or employee that handles and stores sensitive data. When you think about it, that’s pretty much everybody.
Benefits of zero trust
Zero trust requires every person and device to prove that they have the correct credentials to access a certain network or platform. Even if they are already “in the castle,” they need to demonstrate that they have the right to be there. There are several benefits to implementing a zero trust security approach, but avoiding a security breach and losing thousands of dollars are two of the biggest motivators.
In addition to that, zero trust increases your ability to quickly isolate threats or compromised assets, improves activity visibility, and reduces the ability for an intruder to freely move within your organization’s network. This strategy can be customized, and may make a lot of sense for businesses that are wanting to implement a proactive approach to digital security.