Zero trust is a strategic and intelligent approach to the growing cybersecurity threat. According to Statista, organisations are rapidly moving towards zero trust frameworks as they offer measurable benefits in terms of increased compliance, faster threat detection and improved protection of customer data, among others. The approach allows for organisations to take an holistic approach to security by removing the idea of trust and interrogating every touchpoint and interaction to ensure that systems and individuals are secure.
There are many different approaches and ideas around how to implement and fully realise a zero-trust model, but they all boil down to the same principle – every user and employee isn’t only authenticated when they access data or systems, they are authenticated constantly. And their authentication process is then authenticated and verified using multiple authentication and verification methodologies. A chain of security that loops back and within the business to ensure that every identity and point of access is genuine and verified.
Another reason why zero trust has become so invaluable to the organisation is because of digital. Digital transformation has accelerated exponentially over the past two years, for obvious reasons and organisations have had to rapidly evolve their systems and security to keep up. Most companies adopted cloud technologies to ensure they could continue working with customers and employees that were now all working from home. The entire business model shifted on its axis as hundreds of people in the office using one network suddenly became hundreds of networks accessing the office. And this dynamic hasn’t changed even now as many companies are moving towards hybrid models of working.
For security teams, this has been an ongoing concern. Most lay awake at night. Many still do. The rapid move to online and hybrid working models has opened vulnerabilities within systems that were not prepared. Many are still trying to find reliable and robust ways of ensuring that systems and data remain secure. The biggest challenge for most companies has been to have security and authentication – ensuring that every user on any device from any location is verified and authenticated – embedded at every touchpoint with the same standards.
However, data encryption is not easily accessible for many companies and many don’t ask that users connect to specific tools in order to get authenticated because they haven’t the budget or manpower to implement tools that monitor and manage user access. Often, companies have allowed their employees to work without authentication which introduces a significant risk when it comes to data transfer and data movement auditing. This is further complicated by the growing number of regulatory bills, worldwide, that hold companies responsible for a breach.
The Protection of Personal Information Act (PoPIA) has come into full force and joins other international acts such as General Data Protection Regulation in Europe (the benchmark of robust regulation, globally), the California Consumer Privacy Act (CCPA) and Brazil’s Lei Geral de Proteção de Dados (LGPD). Companies can no longer leave their security lying about on the ground for anyone to pick up and break. Now, they have to show a full track of data movement and data auditing and they have to report on all the data movements of the company. It’s critical to have policies and procedures in place, particularly for companies that are operating within hybrid frameworks.
The zero-trust model
Which is where zero trust comes in. The zero-trust model, based on NIST 800-207, includes three key principles. The first is continuous verification where the system is always verifying access, all the time across all resources. The second is to limit the blast radius by minimising the impact if a breach occurs; and the third is to automate context collection and response and to incorporate behavioural data for accurate insights and authentication processes.
Zero trust policies rely on real-time visibility into hundreds of user and application identity attributes. These include anything from user identities and types of credentials, to credential privileges per device and endpoint hardware types and functions. Zero trust systems also tick the boxes of: assessing behaviour patterns, geolocation, security or incident detections, application installations on the endpoints, protocol and risk authentication and operating system version and patch level monitoring.
The challenge for organisations is to find a way of embedding a zero-trust model within the chaos of applications and devices that has evolved over the past two years. In the past, companies could lock down devices on the hardware application level, but with software changing and different devices emerging, this is now only one part of the authentication and verification equation. Now, zero trust has to implicate and interrogate every point of authentication and verification throughout the user journey.
Considering that organisations are required to protect their infrastructure and deployment and embed multi-cloud, hybrid and multi-identity functions that include unmanaged devices and legacy systems as well as Software-as-a-Service applications, it’s clear why zero trust continues to gain traction. Security must address key threat use cases such as ransomware, supply chain attacks and insider threats. These continue to lead the way in successful hacks of privileged information and cause immense damage to organisations, reputationally and financially.
Organisations can implement a zero-trust approach incrementally, ensuring that risk is managed effectively within the resource capabilities of the security team and through the strategic implementation of security tools and systems. It may seem a daunting step in a complex direction, but by leveraging tools already in place and by integrating security systems and methodologies that align with the zero-trust model, organisations can embed comprehensive and holistic security into the business.