Never Trust Anything Again - The Zero Trust World

Uploaded on 2022-05-19 in TECHNOLOGY--Resilience, FREE TO VIEW

It seems everyone is talking about Zero Trust in our data networks, but it is often a goal which cannot be reached, as it depends so much on business needs and user interactions. However, where possible, a Zero Trust strategy can help a business be more secure and avoid costly hacks.

It is a concept that is more relevant and important today than ever, particularly as companies around the world grapple with how to operate, and respond to, the remote working drive and cloud-based services which are taking over. 

Securing the traditional network perimeter (i.e. the moat and castle approach) is no longer sufficient. With the rise of applications being deployed in multi-clouds, and the growing mobile workforce, the network perimeter has all but disappeared.

Even One-Time-Password (OTP) technologies can no longer support diverse networks and connections. True Multi-Factor-Authentication (MFA) has come of age, as required flexibility of authentication is linked to the level of security needed. Hence, the greater the risk to data, the better form of authentication and trust application is needed. Likewise, for an environment which has many tens of thousands of customers, even the most basic of MFA solutions, such as SMS authentication, could be impractical and a barrier to business.

Zero Trust eliminates the idea of a trusted network inside a defined perimeter. Today, you must apply least-privilege user access and scrutinise it as much as possible.  Assume attackers are already hiding in the network and get more context and visibility from the control points.

To enable Zero Trust, organisations must abandon the ‘trust everything, but verify’ approach and adhere to these three principles:

1. Never trust
2. Always verify
3. Continuously monitor

No single vendor can provide a Zero Trust solution, it will require a blended approach to meet the company’s specific business needs. This is where the challenges lie. But what are they?

Zero trust is not a standard, or a specification that vendors can design products and services against. It is an approach to designing an architecture, which means it can be difficult to know what the right thing to do is.

Cost:   As with any infrastructure change, there are usually costs associated with a migration. Both direct and indirect. Direct costs are new products, devices, and services. Indirect costs are the training of support teams in order to learn new processes. 

Disruption:   Moving to a Zero Trust architecture can be a very disruptive exercise. It can take several years to migrate to a fully Zero Trust model, due to the extent of change needed across the enterprise. Defining an end state for a migration is difficult when the model you are aiming for may evolve during the rollout.

Not all products and services are suitable for Zero Trust: Many legacy or fixed process products and services do not fit well with its principles, due to the working practices that surround them. An example is Bring-Your-Own-Device (BYOD) architecture. In this case, it can be difficult to gain a high level of confidence in the status of the devices accessing your services and data, without intruding on the privacy of your user. Another example could be the size of a customer base. If it is too large or diverse it may prevent the identity of working practices needed to ensure a positive trust result.

The temptation for many business leaders is to delay a Zero Trust project because there is no immediate implication for not doing it today, or next quarter. But eventually, it will become a priority because of an attack, or key clients seeing the organisation as a weak link in their supply chain.

If a Zero Trust strategy has not been implemented, it may look like a massive project. Faced with the inevitable limited resources issue, many may struggle to develop a system that works for the individual business needs. Hence, the imperative to start planning now. Businesses should look at their current products for endpoint protection, user authentication and network monitoring and see how they can be manipulated to start the foundation of a Zero Trust policy. From here, any new security solution purchase can be reviewed in light of the Zero Trust plan, ensuring it fits.

Zero Trust provides higher security, from the endpoint through to the application, than traditional approaches. By constantly authenticating and authorising, it's possible to securely enable the mobile workforce, reduce data losses and improving productivity with streamlined access

Colin Tankard is Managing Director at Digital Pathways

You Might Also Read: 

The Frailty Of Email:

 

« A Short History Of Cyber Crime - Part 1- Its Motivations
Conti Attack US Precision Engineering Business »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

InfoSec World

InfoSec World

InfoSec World conference and expo covers all aspects of information security with a broad agenda of sessions on key security issues.

LRQA Nettitude

LRQA Nettitude

LRQA Nettitude is an award-winning global provider of cybersecurity services, bringing innovative thought leadership to the ever-evolving cybersecurity marketplace.

Convercent

Convercent

We offer comprehensive and integrated compliance management, reporting, and analytics. A 360-degree view of compliance drives efficiency by aligning initiatives and data into a single dashboard.

Graphus

Graphus

Graphus provides a simple, powerful, automated solution that eliminates 99% of social engineering and spear phishing attacks against G Suite business Gmail users.

achelos

achelos

achelos is an independent software development company providing innovative technical solutions for micro-processor chips / security chips and embedded systems in security-critical application fields.

SecureMe2

SecureMe2

SecureMe2 ‘s mission is to make organizations more responsive to digital threats by deploying smart technology in a highly accessible way.

Council to Secure the Digital Economy (CSDE)

Council to Secure the Digital Economy (CSDE)

CSDE brings together companies from across the ICT sector to combat increasingly sophisticated and emerging cyber threats through collaborative actions.

German Israeli Partnership Accelerator (GIPA)

German Israeli Partnership Accelerator (GIPA)

GIPA is based on two pillars: it is an incubator aimed at young academics and a program to transfer cybersecurity expertise to corporate partners.

Trust Stamp

Trust Stamp

Trust Stamp provide Identity and Trust as a Service to answer two fundamental questions: “Who are you?” and “Do I trust you?"

Action1

Action1

Action1 is a Cloud-based lightweight endpoint security platform that discovers all of your endpoints in seconds and allows you to retrieve live security information from the entire network.

Clear Skye

Clear Skye

Clear Skye, an Identity Access and Management (IAM) software company, reimagines enterprise identity access and risk management software to make a complicated problem easier to manage.

Buchanan Technologies

Buchanan Technologies

Buchanan Technologies is a leading IT consulting and outsourcing services firm. Our methodology transforms everyday technology investments into streamlined, secure and scalable solutions.

Xobee Networks

Xobee Networks

Xobee Networks is a Managed Service Provider of innovative, cost-effective, and cutting-edge technology solutions in California.

Verinext

Verinext

Verinext delivers transformative business technology, from intelligently automating time-consuming tasks and protecting data assets to securing infrastructure and improving customer experiences.

LEPHISH

LEPHISH

LePhish is a French cybersecurity solution specializing in automated phishing campaigns.

Affinity Technology Partners

Affinity Technology Partners

Affinity Technology Partners has been fueling the growth of Nashville, Tennessee businesses and nonprofits with reliable IT services since 2002.