The idea of Zero Trust security was first introduced by Forrester in 2010. But it’s still not as widely adopted as those in the security industry might hope. That may be changing though. With the threat from cyber criminals rising every year along with the cost of breaches to businesses, more and more organizations are seeking to implement a Zero Trust model. Here’s the core information you need to implement it in your business.
Zero Trust involves a mind-shift more than any one technology. Once you make that mind shift, you can evaluate technical solutions for implementing Zero Trust. Here are the four principles that your company—and especially your IT organization—need to adopt:
This is probably the biggest shift in thinking. Traditionally, IT has been focused on the perimeter of the organization, seeking to prevent entry. The idea is that those inside the organization are generally safe. So less effort is placed on verifying or detecting issues within the firewall. This is sometimes called the castle-and-moat approach to security.
It’s time to change that mindset. In a Zero Trust environment, you assume that threats can come from inside as well outside. It may be because criminals have already infiltrated your organization. Or that you have a bad actor. Either way, it’s just as important to focus on what’s happening inside the organization and protecting from inside attack as outside attack.
Which leads to principle number two: use micro-segmentation. With this approach, even inside the firewall areas of the organization are walled off or segmented from others. For example, the marketing department gets access to the tools and data they use: customer information, apps like Salesforce, etc. But they don’t have access to financial data or tools used by accounting, nor the product IP and software that development works with.
Tied to micro-segmentation is the idea of least privileged access. That means limiting users, even within a department, to the minimum information and access they need. Just because someone works in finance doesn’t mean they need access to all the customer and company financial data. Depending upon the user’s role, he or she may only need access to a select set of customers’ data—or no access to customer financials at all.
By restricting access to just what’s needed, you help ensure that even if a hacker manages to impersonate a user’s identity, he or she can only do a limited amount of damage.
To enforce all of this, an organization must flip the model and use what’s called a Zero Trust approach. You never trust that a user is who they say they are. Instead, you always verify the user’s identity and level of access. Never trust, always verify increases the chances of stopping a criminal or program that has infiltrated your organization before it can gain access to sensitive information or do damage.
If you’re looking at the four Zero Trust principles with a critical eye, you may see some challenges in the actual implementation. For example, while security requires a never trust/ always verify approach, the trick is to keep verification relatively painless for users. Going back to our castle analogy, having gates everywhere that require unlocking with a key can really impact people’s day to day productivity.
Similarly, we all know that roles are not entirely clean and some users will need access to applications or data that aren’t assigned to them by default based on their role. That means you need a fast way to provision and de-provision users for apps on an as-needed basis.
With that said, here are four tools central to Zero Trust security:
That’s it. Those are the four principles and four tools to consider first when moving to Zero Trust.
Can you name the most common cyberattacks? Take our quiz and see how cyber-knowledgeable you really are.
Take QuizNot all enterprise password managers are created equal. Does yours measure up?
Read MoreZero trust is the right move to make. But you also need to be sure your zero trust plan covers all the bases.
Read More