What is Zero Trust?

The risk landscape has changed - organisations have more data and resources in more places and more people accessing them.

In 2020, according to the UK Office for National Statistics (ONS), just under 50% of the UK workforce were working remotely. The McKinsey Global Institute expects this percentage to remain high into the future.

Not only has this required organisations to secure more areas of infrastructure but has also led to the proliferation of 'shadow IT' – devices that are outside the control of the traditional IT department.

Since 40% of data breaches have been shown to be caused by internal users, it is now widely acknowledged that there is no difference between internal and external threats.

Combine this with the constant changes made to connections between organisations and customers and the services consumed, the potential for something to go wrong has increased significantly for organisations still managing a traditional firewall perimeter approach to security.

The concept of Zero Trust has been around for some time but recent global changes to the way we work, play and shop have thrown the requirement for a Zero Trust approach to securing business into sharp relief.

WHAT IS ZERO TRUST?

Zero Trust is a state of mind and that mind is a paranoid one! The working assumption at the forefront of a Zero Trust approach is that every network is breached, every machine is compromised, and every user is at risk.

Zero Trust requires a total rethink of how organisations secure everything.

Implementation of a Zero Trust architecture and mindset is a change management challenge incorporating business process and technology and is one that needs to involve all stakeholders.

For Zero Trust to be implemented, organisations need to have clarity around:

• What they are trying to protect
• Why those things (users, data, applications etc) need protection
• Where those things are
• Who is accessing them and how are they doing so
• What needs to be done to protect them

Zero Trust requires security everywhere! The mantra is never trust, always verify.  

WHAT STEPS CAN BE TAKEN TO MOVE TO ZERO TRUST?

When there’s flashy, exciting new tech around it is all too easy for people to ignore what is often seen as the boring or difficult bit – people and process. Everyone needs to come along for the journey and without significant business buy-in, any change is likely to fail.

In security terms, however, the quick wins can come from ensuring basic security protocols are in place:

• Access to applications only – who needs access to the entire network?
• Is the network isolated from the internet? Shut down any of those vulnerabilities.
• Establish protection at the lowest possible layer.
• Secure privileged user accounts
• Monitor outbound traffic – where is that packet heading?
• Review and enhance identity management, and how authentication and authorization works.
• Educate and train users – ensure everyone understands why security is important to the business, and their part in that security!

It is important to stress that Zero Trust is not simply the implementation of multi-factor authentication (MFA), and Zero Trust is not a product. It is a strategy and there is no single strategy that fits all organisations. Moreover, the selected strategy cannot be implemented overnight. An iterative approach is required:

• Start with a specific use case, a target application, or a user population;
• Demonstrate value; and
• Learn from the experience

But remember, even the best Zero Trust setup cannot protect you against the user who leaves their password on a post-it note! People and processes are always key to a successful security strategy!