Zero Trust — A Security State of Mind
The modern age we live in is littered with buzzwords. Some come and go quickly but other stick around a little longer. I have to admit to being a bit of a buzzword and acronym junkie, I can’t let a good one pass by me. Perhaps it’s the inner geek in me, but I always feel the need to understand what it’s all about.
One such trend that has been getting more and more ‘airtime’ is that of Zero Trust. It’s not particularly new, the concept was first coined around ten years ago, but it hit the big-time two years ago when Gartner included Zero Trust as a core component of security solutions. It’s been gathering momentum and is fast becoming the standard we architect and access our IT systems. You might not be familiar with the whole concept, so what follows is a guide to key principles of Zero Trust.
Out with the old — in with the new
The traditional way organisations have kept their data and systems secure is by using firewalls and network appliances to create a secure internal network. If you think of the organisation as a castle, everything within the castle walls is considered trusted, and everything outside the network is untrusted. For a while, this model worked fine, but the way we work has changed dramatically over the past few years. With the rise of mobile devices, ubiquitous fast Internet access, and cloud adoption, people can access resources from more locations and devices than ever before. The way we do business is changing too, with employees, customers, partners and contractors all needing to access and share data. If you’re still operating like a castle, opening up any part of your defences can lead to all sorts of problems and vulnerabilities. So, what’s the answer?
Introducing Zero Trust security
Working from home used to be considered a perk, but with the pandemic it became a necessity, leading us to where we are right now, where working remotely has become the default for many — and it’s here to stay. This is coupled with the fact that organisations rely on ever-increasing amounts of data, where much of that is shared across systems — often with different providers. Just how do you tie up all the users, locations, data and systems — and still keep a handle on security?
We’re moving away from the network perimeter-centric view of security. The common control point is shifting to the identity of the user. This means that instead of seeing users as either trusted individuals — able to access everything inside the organisation or untrusted individuals — to be kept on the outside, Zero Trust means we’re able to take a different approach. We no longer assume that a user is trusted based on their network location, now all users must be verified before gaining access to systems and data.
Identity is the new perimeter
The modern workplace — where users, data and systems are all distributed, is now becoming based on the principle of “never trust, always verify”. What this means is that an organisation needs to continuously assess access privileges — but without adding friction to the user. It means allowing access from all the various users, locations, devices and networks, but having control of who has access to what.
Modern identity and access management (IAM) solutions are at the heart of a Zero Trust strategy. It is an essential part of embracing the rise of cloud computing and providing the flexibility demanded by businesses, users and consumers. Zero Trust is all about evaluating the context of the user and devices — before granting access.
Zero Trust is here to stay
Achieving the promise of Zero Trust is not a single event and won’t happen overnight. It is more of a journey that begins with nurturing an identity-driven mindset: working to secure the user, regardless of their location, device, or network. Most organisations are ramping up their journey towards identity and access management maturity. This includes the provision of new cloud-based resources, new ways of connecting user devices to applications and data, as well as retro-engineering existing systems. There are supporting technologies that are rapidly becoming standard practice, such as multi-factor authentication (MFA), context-based access policies, single-sign-on (SSO), and automated account provisioning and de-provisioning.
Benefits to adopting a Zero Trust approach
1. You gain visibility and control over which users have access to what resources, and minimise risks such as compromised credentials and unauthorised access.
2. It helps to simplify IT management. Zero Trust rests on the foundation of continual monitoring and analytics, meaning access can be automated using the principle of Privileged Access Management (PAM). Access can be automatically granted based on key identifiers, with IT teams only getting involved where the system flags anything suspicious.
3. Zero Trust is good news for existing security teams, enabling them to work smarter. As it uses centralised monitoring, it enables analytics and deep insights, allowing them to create a more secure environment with less staff.
4. There is improved data protection, such as preventing rogue employees or malware from gaining access to large portions of the network. Limiting what a user can access and for how long, goes a long way to reducing risks.
5. Firewalls are no longer enough when data is spread across many locations and the cloud. Zero Trust offers robust protection for workers and data in any location.
6. Users have better access to resources, without the need for cumbersome VPNs — users can directly access the resources they need.
7. Zero Trust helps to ensure continuous compliance, with every access request being evaluated and logged. With an evidence trail, governance is faster and more efficient.
Key takeaways
When it comes to adopting Zero Trust, there is no magic wand. No organisation is going to achieve full maturity overnight. However, security threats will continue to intensify and organisations cannot afford to stand still. There are tools and people out there to help you step up your security game. Version 1 have a rich history of providing consultancy, best practice and vendor-agnostic solutions, we would love to help you achieve your Zero Trust goals.
About The Author
Ben Whittaker is a Cloud Infrastructure Architect here at Version 1.
