Today we access work applications from multiple devices. Many businesses operate a “verify, then trust model,” permitting use to any app or device and to any user with the correct credentials. Because of this, businesses are often left open to threats such as data breaches and malware. This is where the network security concept of zero trust comes in. Here’s how it all works.
What zero trust is
It’s focused on the idea that systems shouldn’t automatically trust anything, be they inside or outside the security perimeters. It’s about being certain who the user is. Never trust, always verify. It offers better security than technology relying on outdated trust principles such as VPNs. To achieve this, it aggregates a few different principles and technologies.
This is the idea of limiting access to only what is 100% necessary. Only the bare minimum level of rights and security clearances are given to allow a process, application, system or device to function.
Traditional “castle and moat” security is flawed. Once security is breached by say, hacking a password, a hacker has free reign within your entire system. With microsegmentation, security perimeters are split into smaller sections. This means different areas of the network require different authentication. One hacker breaking into one segment can only do damage within the segment they’ve hacked.
Think of it as a digital double/triple lock. It’s the act of authenticating a user’s identity by asking for multiple credentials. Instead of just asking for a username and password. MFA may ask for anything from an extra security question to a fingerprint. Using biometric data like facial recognition, fingerprint or retina scans is particularly effective as they're impervious to a brute force attack.
Implementing zero trust
Here are the five steps you should take to make zero trust a reality in your business.
1) Define what to protect. This means outlining the applications, assets, etc. that are most crucial to your business; the last things you’d want falling into the wrong hands.
2) Map the transaction flows by viewing and noting how traffic moves across a network. This will give you insight into how to achieve optimal security and cause minimal disruption within your business.
3) Design the zero trust network. This will begin by adding a next-generation firewall to act as a segmentation gateway. From here you can add additional layers of inspection and access control.
4) Create your zero trust policies. This involves getting super detailed on who your users are, what applications they need, why they need them, and what controls are needed to secure their access.
5) Monitor your networks. Here you inspect and log all traffic so you can optimise the network over time.
Zero trust has certain technologies supporting it. However, achieving it has more to do with a general attitude rather than adhering to a checklist. It’s a constant process of staying up to date on what allows you to never need trust a user, and how you can always verify them.