While the concept has been in existence since the early 2000s, many organisations are yet to take the plunge. Instead, they opt to continue with legacy security measures and add additional tools as required.
Taking this approach, however, can be a costly mistake. This is because an increasing proportion of data breaches are caused by phishing attacks and credential theft. Traditional IT security measures are unlikely to prevent intrusion by a cybercriminal who has valid access credentials.
The case for zero trust has also been strengthened by the sweeping changes that have occurred within many workplaces. In the wake of the pandemic, hybrid working is now very much the norm which means staff are no longer always connecting to a corporate network protected by a centralised firewall.
Defining zero trust
Ask five IT professionals to define zero trust and you are highly likely to get five different answers. The concept is used by security vendors to market a range of products and services and therefore means different things to different people.
Strip away the marketing hype, however, and a clearer picture of what a zero-trust strategy involves emerges. In short, zero trust is an information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilising policy informed by continuous, contextual, risk-based verification across users and their devices.
When following this strategy, an IT security team will assume that a breach is inevitable or has already occurred. The team will also ensure that the identity of a person or device is checked each time they request access to a new resource, and that every action is logged and analysed.
In reality, the concept of zero trust is not new. The elements that comprise the strategy, such as least privilege and network segmentation, have been in use for some time. It is the way these elements are put together that gives zero trust its unique capabilities.
The zero-trust journey
It’s also important to remember that zero trust is a journey rather than a final destination. It’s not possible to buy the concept ‘off-the-shelf and deploy it. In reality it is a set of principles that guide security design.
When starting the journey, a security team needs to ask two key questions: what resources are they trying to protect, and who should have access to them. This will determine where the work should begin and ensure it has the biggest positive impact possible.
The journey to zero trust will then comprise seven important steps. They are:
- Monitoring: Implement tools that deliver the ability to constantly monitor the entire IT environment. This may include deployment of a SIEM platform.
- Identification: A single source of truth when it comes to digital identities needs to be created. This can be achieved with the use of Identity access management (IAM) tools.
- Classification: The next step is to identify and classify all data across the organisation. Decisions need to be made on which data is critical and therefore must be afforded the most protection.
- Data flows: The flow of data both within the organisation and externally then needs to be examined and understood. System architecture management should also be undertaken.
- Device management: The team then needs to deploy a mobile device management platform that can help to track devices and their data usage.
- Network changes: When it comes to data networks, the next step will be to remove existing virtual private network (VPN) tools and introduce Secure Access Service Edge (SASE) technology.
- Ongoing improvement: Zero trust is not a set-and-forget concept. There will therefore be a need for ongoing review and improvement of the measures that have been put in place. This process can also include the adoption of automation tools to reduce the workload on IT staff.
The important thing to remember is that most organisations will not be starting their zero-trust strategy with a blank piece of paper as a proportion of the components are likely to already be in place.
By taking a measured and methodical approach, organisations following this security strategy will be in a much stronger position to avoid falling victim to a future cyberattack.
