Never Trust Anything Again - The Zero Trust World

Uploaded on 2022-05-19 in TECHNOLOGY--Resilience, FREE TO VIEW

It seems everyone is talking about Zero Trust in our data networks, but it is often a goal which cannot be reached, as it depends so much on business needs and user interactions. However, where possible, a Zero Trust strategy can help a business be more secure and avoid costly hacks.

It is a concept that is more relevant and important today than ever, particularly as companies around the world grapple with how to operate, and respond to, the remote working drive and cloud-based services which are taking over. 

Securing the traditional network perimeter (i.e. the moat and castle approach) is no longer sufficient. With the rise of applications being deployed in multi-clouds, and the growing mobile workforce, the network perimeter has all but disappeared.

Even One-Time-Password (OTP) technologies can no longer support diverse networks and connections. True Multi-Factor-Authentication (MFA) has come of age, as required flexibility of authentication is linked to the level of security needed. Hence, the greater the risk to data, the better form of authentication and trust application is needed. Likewise, for an environment which has many tens of thousands of customers, even the most basic of MFA solutions, such as SMS authentication, could be impractical and a barrier to business.

Zero Trust eliminates the idea of a trusted network inside a defined perimeter. Today, you must apply least-privilege user access and scrutinise it as much as possible.  Assume attackers are already hiding in the network and get more context and visibility from the control points.

To enable Zero Trust, organisations must abandon the ‘trust everything, but verify’ approach and adhere to these three principles:

1. Never trust
2. Always verify
3. Continuously monitor

No single vendor can provide a Zero Trust solution, it will require a blended approach to meet the company’s specific business needs. This is where the challenges lie. But what are they?

Zero trust is not a standard, or a specification that vendors can design products and services against. It is an approach to designing an architecture, which means it can be difficult to know what the right thing to do is.

Cost:   As with any infrastructure change, there are usually costs associated with a migration. Both direct and indirect. Direct costs are new products, devices, and services. Indirect costs are the training of support teams in order to learn new processes. 

Disruption:   Moving to a Zero Trust architecture can be a very disruptive exercise. It can take several years to migrate to a fully Zero Trust model, due to the extent of change needed across the enterprise. Defining an end state for a migration is difficult when the model you are aiming for may evolve during the rollout.

Not all products and services are suitable for Zero Trust: Many legacy or fixed process products and services do not fit well with its principles, due to the working practices that surround them. An example is Bring-Your-Own-Device (BYOD) architecture. In this case, it can be difficult to gain a high level of confidence in the status of the devices accessing your services and data, without intruding on the privacy of your user. Another example could be the size of a customer base. If it is too large or diverse it may prevent the identity of working practices needed to ensure a positive trust result.

The temptation for many business leaders is to delay a Zero Trust project because there is no immediate implication for not doing it today, or next quarter. But eventually, it will become a priority because of an attack, or key clients seeing the organisation as a weak link in their supply chain.

If a Zero Trust strategy has not been implemented, it may look like a massive project. Faced with the inevitable limited resources issue, many may struggle to develop a system that works for the individual business needs. Hence, the imperative to start planning now. Businesses should look at their current products for endpoint protection, user authentication and network monitoring and see how they can be manipulated to start the foundation of a Zero Trust policy. From here, any new security solution purchase can be reviewed in light of the Zero Trust plan, ensuring it fits.

Zero Trust provides higher security, from the endpoint through to the application, than traditional approaches. By constantly authenticating and authorising, it's possible to securely enable the mobile workforce, reduce data losses and improving productivity with streamlined access

Colin Tankard is Managing Director at Digital Pathways

You Might Also Read: 

The Frailty Of Email:

 

« A Short History Of Cyber Crime - Part 1- Its Motivations
Conti Attack US Precision Engineering Business »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Riverbed Technology

Riverbed Technology

The Riverbed Network and Application Performance Platform enables organizations to visualize, optimize, accelerate and remediate the performance of any network for any application.

Konfidas

Konfidas

Konfidas provide high-level cybersecurity consulting and professional tailored solutions to meet specific cybersecurity operational needs.

Netwrix

Netwrix

Netwrix empowers information security and governance professionals to identify and protect sensitive data to reduce the risk of a breach.

National Cyber Security Center (NCSC) - Hungary

National Cyber Security Center (NCSC) - Hungary

The National Cyber Security Center was established in 2015 by uniting the GovCERT-Hungary, National Electronic Information Security Authority (NEISA) and the Cyber Defence Management Authority (CDMA).

Scantist

Scantist

Scantist is a cyber-security spin-off from Nanyang Technological University (Singapore) which leverages its expertise to provide vulnerability management solutions to enterprise clients.

Ingenio Global

Ingenio Global

Ingenio is a specialist recruitment business for SaaS companies. Our purpose is to source exceptional talent in areas including cyber security for leading SaaS companies in the UK and Ireland.

PizzlySoft

PizzlySoft

PizzlySoft is a global company that is seeking convergence of network and security / software and hardware. We put our value on creating the best security.

Gijima

Gijima

Gijima is one of SA’s leading ICT companies in Cloud & Outsourcing, Systems integration, Human Capital Management & Training, Cybersecurity, and Unified Communications.

Persona

Persona

At Persona, we’re humanizing online identity by helping companies verify that their users are who they say they are.

Mosyle

Mosyle

Businesses and educational institutions rely on Mosyle to manage and secure their Apple devices and networks.

Rhodian Group

Rhodian Group

Rhodian Group (formerly Adar) specialize in providing Technology, Cybersecurity, and Compliance services to the insurance industry.

Sec3

Sec3

Sec3 is a security and research firm providing bespoke audits and cutting edge tools to Web3 projects.

Securin

Securin

Securin offers a comprehensive portfolio of solutions including Attack Surface Management, Vulnerability Intelligence, Penetration Testing, and Vulnerability Management.

Amtivo Group

Amtivo Group

Amtivo provides Certification, Inspection and Training services to national and local Government bodies, multi-nationals, enterprise clients and SMEs.

Blackwired

Blackwired

Blackwired has established a new category in cyber security with an intelligence-led model based on the USMC’s Combat Hunter programme ‘Left of Bang’.

AUCyber

AUCyber

AUCyber is a leading provider of managed cyber security solutions and consultancy services, specialising in supporting Australian organisations and Government agencies.