What is zero trust?
Three years ago, the UK’s National Cyber Security Centre recommended that, in new IT deployments especially those with connections to the cloud, a zero trust approach should be adopted. And in January of this year, The White House issued a two-month deadline to heads of all executive agencies and departments to issue a plan for implementing zero trust architecture on their networks to help prevent cyberattacks.
Where governments lead, businesses often follow.
In this article, PGI’s CTO Keith Buzzard explains what zero trust is, how it works, and how to implement it in your company.
What is the zero trust security model?
Historically, governments and companies have adopted a ‘trust but verify’ approach to network and data access (sometimes called the ‘corporate perimeter’ approach). Essentially, as soon as you log into a computer, this is verification enough for you to operate the apps and access the data for which you have clearance.
The zero trust approach is ‘never trust, always verify’ (or perimeterless security). Even when on a corporate network, users are not permitted access to data and the functions within apps and programs until they can prove that they have clearance. In many cases, clearance may only be granted from a device whose identity is logged in an asset register.
More mobile working, accelerated by the response to the COVID-19 pandemic, and working from home has accelerated the uptake of zero trust architectures within companies and businesses.
Given the inherent hackability of Wi-Fi (not to mention the ability to spoof networks in public spaces), a lack of creativity in coming up with secure passwords, and the vulnerability of many IoT devices, many CTOs and CISOs now believe that the old ‘trust but verify’ approach is too risky.
What are the three stages of the zero trust security model?
The three stages of the zero trust security model are:
- Continuous verification required for all resources and data at all times.
- Make each accessible part of a system and resources as small as possible to limit fallout in the event of a breach.
- Monitor users and user activity to identify any breaches, discover any further potential for breaches, and make the system more usable for staff, contractors, and customers.
What are zero trust principles?
The three interlocking principles behind the zero trust approach are based upon:
User identity (with groups)
Groups, and thereby users, will range from those with the least access to the most access depending on what they need to do their work correctly. Each user will need to authenticate their identity when accessing parts of the system they have permission for.
Only the functions required for use by an individual user within an app or program should be accessible from a permitted list of connections.
Service identity authentication may also rely on device identity authentication. Organisations should collate and keep updated their asset registers with every device that has permission to access the network and the type of data and the functions of apps or programs anyone using it is allowed access to.
For BYOD devices, identities should be assigned to each permitted device and its activity monitored.
How to implement zero trust
To implement zero trust within your business, you’ll need to involve:
CTOs, CISOs, and DPOs
At the start of the process and ongoing, CTOs, CISOs, and DPOs need to create different types of user groups. The decision then needs to be made on what data and which functions with apps and programs users within each group are allowed to access with an emphasis on reduction (but not to the point where it becomes impossible or near impossible for them to do what they need to do).
CTOs and IT managers
CTOs and IT managers will need to ensure the compatibility of present and future hardware and software with the additional access demands put onto a system, often in partnership with the procurement team.
Whether staff, contractors, or customers, users must be told what actions they can carry out and data they can access and how to correctly authenticate access to the network and devices connected to it. If the changes you’re implementing also affect the use of customers’ online portals, for example, you might want to get your marcomms team involved.
HR and training will need to support staff and contractors on the new usage requirements of the system together with letting them know what data they’ll have access to and which program/app functions they’ll be able to use.
Procurement teams must also take zero trust into account, often necessitating some form of collaboration with IT managers, CTOs, and CISOs. Any new programs or apps purchased must be capable of complying with zero trust. You’ll also need to examine existing programs or apps to check for compatibility and make a decision on whether they need replacing or not.
Is zero trust the future of cyber security?
Zero trust is the past, present, and future of network and data security. We’ve actually been on this path for years and ‘trust but verify’ was one step on that journey.
We all rely on data and access to it more than ever to run businesses and manage our own lives. As that dependency increases, so will the measures we have to take to protect ourselves.
Think of it like fire.
As our understanding of the threat of fire within buildings has increased, so has our ability to prevent them. As we gain this knowledge, new legislation is enacted to safeguard lives and property. Hence the incremental introduction of fire alarms, fire-resistant building materials, number of escape routes, installation of sprinklers, and so on over time.
Is zero trust truly possible?
Yes, but getting the balance right at the start may be challenging.
The greater the level of authentication needed, the higher the cost and the more complex it will be for members of staff, contractors, and clients to access data and program/app functionality.
In earlier times, any member of staff with access to a company intranet or computer system generally needed only a username and password to proceed. They could work often essentially unfettered on what they wanted.
A zero trust approach changes this because it requires constant authentication of a user’s actions even after logging in to the system – the question is how much authentication and for which apps, programs, and data is necessary for your business?
Why do we need zero trust?
Zero trust limits the damage that a successful breach can cause.
With the ‘trust but verify’ model, a hacker would have access to the apps and data on a network by navigating one defence. The more senior the person who has been hacked, the greater the level of harm a company is exposed to.
A zero trust approach permits what a cybercriminal can access to a minimum.
It’s analogous to a ship’s hull being pierced while at sea. The smaller the parts of the ship that have been flooded, the less risk there is to passengers and crew and the greater the chance that they’ll be able to continue sailing as is.
Towards digital resilience with PGI
Meeting the growing threat of data breaches from external and internal bad actors increases year on year as does the financial and reputational losses to businesses.