What is zero trust?

How a zero trust security strategy better protects your business from internal and external attackers

As businesses shift to the cloud and attacks become more sophisticated, traditional security perimeters tied to the corporate network are no longer adequate to protect valuable resources in the modern IT environment. Employees still need to be able to access corporate data and applications, no matter where they’re stored or where employees are located, but businesses also have to be able to implement and monitor protections at a distance. Zero trust is a security concept many businesses are turning to in order to solve this dilemma. 

Zero trust is based on the idea that no user or device, whether inside or outside a network, can be trusted. It’s a preventative technique effective for controlling access to networks, applications, and data. 

It was coined in 2010 by Forrester Research and started gaining traction in 2014 when Google announced its implementation of a zero trust strategy, BeyondCorp, after falling victim to the Operation Aurora attack in 2009.

By 2023, Gartner predicts that 60% of enterprises will phase out most of their remote access VPNs in favour of zero trust network access.

How does a zero trust model differ from regular methods? 

Traditional methods of security work on the assumption that everything within the organisation’s network can be trusted and that all users will act responsibly. This ‘castle-and-moat’ strategy leaves the organisation open to internal threats, but it also gives external attackers unlimited access once they break through that initial barrier. 

On the other hand, zero trust requires users both inside and outside the network to be continuously authenticated to access applications and data. Since the point of infiltration is usually not an attacker’s target but just a way in, zero trust uses micro-segmentation, multi-factor authentication, and other barriers to limit the access attackers have once they have entered the network. 

What strategies does a zero trust network model use? 

A zero trust policy is not one technology, but a holistic approach that can be built into the existing architecture and should be used across an entire organisation. It uses multiple methodologies to uphold the idea of ‘never trust, always verify’. Here are some tactics organisations can use to limit the access users and endpoints have within its network: 

  • Least-privilege access: This involves assessing the needs of each user and gives them the least level of access possible so that resources are only available to those that absolutely need them, rather than open to anyone in the network.
  • Identity and access management (IAM): IAM automates the processes of authenticating users and managing the appropriate levels of access for each user. IAM systems will provision users with access based on their role and de-provision employees that leave the company. 
  • Multi-factor authentication (MFA): This is a core component of an IAM policy that requires the user to supply two or more verification factors, often through one-time passwords (OTPs) sent through SMS, email, or an app. 
  • Endpoint security technology: The desktops, laptops, tablets, and mobile phones that any employee might use to access corporate resources add to the points of access for an attack and have to be properly secured. As more employees connect through their own devices or Wi-Fi connections, this is especially important.
  • Micro-segmentation: This method divides workloads into separate zones and secures them individually, creating more barriers that attackers would have to bypass. 

How do you enact a successful zero trust framework? 

The tactics listed above will only work, however, if you can continuously monitor and validate a user and their device. Zero-trust enforcement relies on real-time visibility of a user’s identity, endpoint type, login details, and other attributes, and without this visibility, you won’t be able to clearly define policy. 

Related Resource

Security awareness training strategies for account takeover protection

Why you need an inside-the-perimeter strategy for internal threats

Security awareness training strategies for account takeover protection - whitepaper from MimecastDownload now

You’ll need to identify the most sensitive data, assets, applications, and services (DAAS) and separate this from the rest of the network. Then you’ll want to map out the traffic surrounding this data—how it’s being accessed, where it’s going, and what it’s being used for. Knowing the intent of your organisation’s data is crucial to protecting it, and automated discovery tools can help with understanding this and deciding which data flows are absolutely essential. 

Once you know what flows will be allowed and which won’t, you can architect the network to place boundaries between the different flows, creating micro-segments that will require authentication and validation to pass through and will help contain breaches. 

Here monitoring comes in again, but this stage is not about defining policy but rather enforcing it. You still need real-time visibility once you’ve implemented a zero trust architecture, only this visibility will be used to ensure continuous compliance.

Automation will be a crucial component of your policy engine to quickly make changes when necessary. The automated system can judge policy change requests that are within defined legitimate parameters and pass along those outside the parameters to actual human eyes, reducing the time you have to devote to maintaining your new zero trust model. 

Challenges of zero trust

If the previous section hasn’t already made it clear, a zero trust policy, while extremely beneficial, is also a lot of work. 

Firstly, it takes a lot of time and effort to get started. Zero trust isn’t a single switch you can just flick on; you’ll have to configure all of your current tools, and if your legacy systems don’t have the means for restricting access, you’ll have to build a new network from scratch. While this could take longer, however, switching to a zero trust framework after it’s been built from scratch may be easier than trying to keep your current processes functioning as you tweak them to fit this framework. 

Once you’ve got your policy in place, it will also require more user management, from employees to customers to clients and vendors, all with varied levels of access that require different policies. To spread the load, some administrators may hand over decisions about policy to each department so they can maintain it themselves, but this can also create issues with some teams creating too broad of policies that leave room for attacks.

With rapid growth in the number of devices each user has, the number of applications across a business, and the different ways to store and access data, such as the cloud, there are many factors that must be juggled when building a zero trust framework. 

Featured Resources

Next-generation time series: Forecasting for the real world, not the ideal world

Solve time series problems with AI

Free download

The future of productivity

Driving your business forward with Microsoft Office 365

Free download

How to plan for endpoint security against ever-evolving cyber threats

Safeguard your devices, data, and reputation

Free download

A quantitative comparison of UPS monitoring and servicing approaches across edge environments

Effective UPS fleet management

Free download

Recommended

BillQuick billing software exploit lets hackers deploy ransomware
Security

BillQuick billing software exploit lets hackers deploy ransomware

26 Oct 2021
Ransomware hit industrial sector the hardest in the third quarter
ransomware

Ransomware hit industrial sector the hardest in the third quarter

25 Oct 2021
Tesco services knocked offline after suspected cyber attack
hacking

Tesco services knocked offline after suspected cyber attack

25 Oct 2021
Microsoft touts new cyber security help for nonprofits
cyber security

Microsoft touts new cyber security help for nonprofits

22 Oct 2021

Most Popular

UK spy agencies supercharge espionage efforts with AWS data deal
cloud computing

UK spy agencies supercharge espionage efforts with AWS data deal

26 Oct 2021
Cryptocurrency: Should you invest?
cryptocurrencies

Cryptocurrency: Should you invest?

27 Oct 2021
Royal Mint to recover gold from smartphones and laptops in world first
Technology

Royal Mint to recover gold from smartphones and laptops in world first

21 Oct 2021