With the rise of mobile connectivity, and especially with the increasing prevalence of bring your own device (BYOD) computing, there’s a growing need for IT security models that emphasize safeguarding users, devices, data, and software operating outside the perimeters of the traditional enterprise network. Among such models, Zero Trust is by far the best known and most popular.
Even before the coronavirus pandemic grabbed the lion’s share of headlines around the world, the topic of Zero Trust was trending in conversations among cybersecurity professionals. And today, as businesses are forced to grapple with new challenges arising from the rapid and largely unplanned shift to a predominantly remote workforce, the concept is gaining still more attention.
So, what, exactly, is all the buzz about? Why should Zero Trust be important to today’s businesses, and how can it be applied in ways that will mitigate real security risks?
“Zero Trust is a great idea, and an important model for IT security philosophy,” says Matthew Wilson, Chief Information Security Advisor at BTB Security. “But it’s nothing new. The model has been around for over a decade. What has changed is the shape and composition of IT networks. That makes it more relevant than ever before.”
What is Zero Trust?
The concept of Zero Trust was pioneered by John Kindervag, then an analyst at Forrester Research, back in 2010. Its core principle, “never trust, always verify,” was put forward in opposition to the most common creed among security architects at the time, which was “trust but verify.” At that time, the predominate security model allowed user identities were to be verified, and permissions checked, at the borders of the corporate network, and that anything within that protected perimeter could be trusted.
With Zero Trust, instead of concentrating defenses at the network’s borders, security architects design “microperimeters” around all information and technology assets within the environment and implement role-based access controls for each one. “The basic idea behind the architecture is the same as the law of least privilege,” says Wilson. “You have to implement technologies and enforce policies to ensure that all resources are accessed in a secure manner.”
“I’ve taken my Zero Trust motto from the movie Spaceballs,” jokes Wilson. “It’s like the heroic Captain Lonestar says to Princess Vespa when they need to escape on the remote desert planet… Take only what you need to survive.”
Let business need be your guide
Any number of technologies—ranging from single sign-on (SSO) authentication tools that leverage the Lightweight Directory Access Protocol (LDAP) to enable users to log into multiple software applications with a single ID and password to various other identity and access management (IAM) platforms—can be deployed to support an organization’s adoption of the Zero Trust framework. Wilson cautions, however, that buying new IT solutions, in and of itself, isn’t enough to achieve a true Zero Trust-based security posture.
“You can’t set up appropriate access controls without thinking carefully about business needs,” says Wilson. “Exactly which privileges does each user need in order to do their job? Everyone should have only this bare minimum and nothing more.”
Determining this bare minimum level of rights and permissions for every software application and IT resource in use within your organization demands a significant investment of time and effort. Although tools exist that can aid in the discovery process, making it easier to understand (for instance) resource access that is managed through Active Directory (AD), achieving Zero Trust means mapping all the applications, users and roles in your environment. This is no small task.
“It’s not just an IT problem,” says Wilson. Leaders and stakeholders across the entire organization should participate in the conversation about who needs access and how they are using resources. “By collaborating with IT, the business can guard against errors and mitigate risk.”
Adopt a multi-layered and holistic approach to IT security
There’s no question that improving your organization’s ability to manage user privileges will better your overall security posture. And applying many of the core tenets of the Zero Trust philosophy—such as monitoring network traffic rather than assuming certain data packets to be “trustworthy”—can enable you to detect malicious activities earlier in the kill chain, reducing your risk of a data breach.
Still, Zero Trust is best understood as one aspect of a comprehensive and multi-faceted cybersecurity strategy rather than a panacea that will solve all problems or remove all risks. “We advocate that companies apply all software patches, harden their systems, develop robust incident response processes, and implement active security monitoring programs,” says Wilson. “We also stress employee education and security awareness training. Zero Trust is valuable, but it should be seen as part of a bigger picture.”
Adopting the Zero Trust approach can enable business and IT leaders to better understand how employees use technology to get their jobs done, so that their productivity can be supported at the same time that risks are reduced.
Contact us to learn more about how our clients rely on BTB Security’s Compliance, Governance and Risk Management advisory services to help them achieve this aim.