They say trust takes years to build but seconds to break. But if you want to secure your business, maybe you shouldn’t be building it at all.
The concept of zero trust security isn’t a new phenomenon. Since John Kindervag of Forrester Research created the model a decade ago, it’s gained popularity in IT security circles and has become something of an industry buzzword. It’s even been adopted by organisations such as Google and Gartner, forming the basis of their BeyondCorp and LeanTrust models, respectively.
But zero trust isn’t just for global corporations, and in this age of increasing cyber-attacks, businesses can’t afford to just be paying lip service. If organisations of every size want to properly secure themselves and protect their data, they need to change their security mindsets and shift to a zero trust approach.
Moving on from ‘trust but verify’
Before zero trust, we had ‘trust but verify.’
This traditional model of IT security makes a distinction between trusted, ‘safe’ internal traffic and ‘dangerous’ external traffic. Its focus is on the strength of its perimeter firewalls and keeping a network free of unauthorised, untrusted external traffic. Its attention is trained on client-server traffic (also known as north-south traffic), and it operates on the assumption the activity within a network is safe because the firewall will have blocked any malicious actors coming from outside.
The problem with this thinking is it’s no longer true (if it ever was). Application-application traffic (otherwise known as east-west traffic) also poses a significant threat—but under the ‘trust but verify’ model, malicious activity in this direction is likely to go undetected for a while. This is because application-application traffic doesn’t leave the data centre, so it’s unlikely to encounter a perimeter firewall that will halt its progress or sound the alarm.
This gap in protection was always a weakness of the traditional security model, but it’s become an increasing issue. The rise of remote working has introduced a host of new devices onto organisations’ networks—which have been vastly expanded—and subsequently introduced new points of vulnerability.
This has been compounded by the rise of cloud technology and the increasing popularity of public clouds or hybrid clouds. Perimeter firewalls can’t work in this context, which means businesses using these environments now have a break in their defenses. And because public and hybrid clouds introduce new traffic patterns and shared infrastructure, they blur the line between ‘safe’ internal traffic and ‘unsafe’ external traffic, creating security chaos. It’s clear a new approach is needed.
The zero trust philosophy
This new approach is zero trust. In contrast to ‘trust but verify,’ it assumes, by default, all network activity is suspicious. Internal requests don’t get preference over external requests, and nothing is trusted or privileged. Security features supporting this layered approach include multi-factor authentication, least-privilege authentication, and strict access right controls.
Though it’s true many organisations already use a few of these security tactics, the mindset is critical. To properly secure themselves, businesses need to understand that trust is dangerous and apply a zero trust approach to every aspect of their IT.
Adopting the zero trust model
There are many ways to adopt a zero trust approach, but here are a few businesses should consider.
First, least privilege permissions should be applied, meaning users only get access to the minimum number of accounts and tools they need to get their job done. This reduces network traffic to accounts and helps contain damage if an attack occurs. Of course, multi-factor authentication is still critical: this year’s Colonial Pipeline attack was carried out through the breach of a legacy VPN protection that only required single-factor authentication. Part and parcel with this is the ability to quickly and accurately audit accounts and their permissions and flag both changes and variances from established standards. As with all other problems in IT, you can’t fix what you can’t see.
Businesses should also consider micro-segmentation, a form of access control where businesses can separate groups of applications and workloads. This again helps minimise damage in the event of a breach and can crucially be applied to east-west traffic. Additionally, if a business works in public or hybrid cloud environments, they should think about a software-defined perimeter. This is a form of micro-segmentation designed for cloud environments, and it involves obscuring assets or endpoints in a ‘black cloud’ so they’re invisible to everyone except the users who need (and have been granted access) to use them.
Finally, continuous and intelligent monitoring of network traffic is a key component of zero trust security. Intelligent analytics and insights software helps IT teams vigilantly track network activity and quickly identify suspicious behavior. This means organisations can spot the anomalous activity of cybercriminals who circumnavigate the firewall before they wreak havoc.
Zero trust security may seem like a hard line to take, but it’s crucial if businesses want to properly protect themselves. With new technologies offering malicious actors new lines of attack, remote working increasing the security challenge, and a rise in breaches and online criminal activity, ‘trust but verify’ won’t cut it anymore. For organisations, trusting no one is the only way to protect everyone.
