How to get to zero trust security

The idea of Zero Trust security was first introduced by Forrester in 2010. But it’s still not as widely adopted as those in the security industry might hope. That may be changing though. With the threat from cyber criminals rising every year along with the cost of breaches to businesses, more and more organizations are seeking to implement a Zero Trust model. Here’s the core information you need to implement it in your business.

The four principles

Zero Trust involves a mind-shift more than any one technology. Once you make that mind shift, you can evaluate technical solutions for implementing Zero Trust. Here are the four principles that your company—and especially your IT organization—need to adopt:

Threats come from inside as well as outside

This is probably the biggest shift in thinking. Traditionally, IT has been focused on the perimeter of the organization, seeking to prevent entry. The idea is that those inside the organization are generally safe. So less effort is placed on verifying or detecting issues within the firewall. This is sometimes called the castle-and-moat approach to security.

It’s time to change that mindset. In a Zero Trust environment, you assume that threats can come from inside as well outside. It may be because criminals have already infiltrated your organization. Or that you have a bad actor. Either way, it’s just as important to focus on what’s happening inside the organization and protecting from inside attack as outside attack.

Use micro-segmentation

Which leads to principle number two: use micro-segmentation. With this approach, even inside the firewall areas of the organization are walled off or segmented from others. For example, the marketing department gets access to the tools and data they use: customer information, apps like Salesforce, etc. But they don’t have access to financial data or tools used by accounting, nor the product IP and software that development works with.

Least privileged access

Tied to micro-segmentation is the idea of least privileged access. That means limiting users, even within a department, to the minimum information and access they need. Just because someone works in finance doesn’t mean they need access to all the customer and company financial data. Depending upon the user’s role, he or she may only need access to a select set of customers’ data—or no access to customer financials at all.

By restricting access to just what’s needed, you help ensure that even if a hacker manages to impersonate a user’s identity, he or she can only do a limited amount of damage.

Never trust, always verify

To enforce all of this, an organization must flip the model and use what’s called a Zero Trust approach. You never trust that a user is who they say they are. Instead, you always verify the user’s identity and level of access. Never trust, always verify increases the chances of stopping a criminal or program that has infiltrated your organization before it can gain access to sensitive information or do damage.

Tools for Zero Trust security

If you’re looking at the four Zero Trust principles with a critical eye, you may see some challenges in the actual implementation. For example, while security requires a never trust/ always verify approach, the trick is to keep verification relatively painless for users. Going back to our castle analogy, having gates everywhere that require unlocking with a key can really impact people’s day to day productivity.

Similarly, we all know that roles are not entirely clean and some users will need access to applications or data that aren’t assigned to them by default based on their role. That means you need a fast way to provision and de-provision users for apps on an as-needed basis.

With that said, here are four tools central to Zero Trust security:

• SSO—Single Sign-On (SSO) provides the ability for users to sign in once with their credentials, including a single password, and have access to all of their web apps. With the right tools, SSO can also provide single sign-on access to on-prem legacy apps. SSO increases security by getting rid of passwords while also increasing usability and employee satisfaction.
• MFA—Multi-factor Authentication (MFA) is a critical identity and access management (IAM) tool that every organization should be using. MFA requires additional factors when users try to login. For example, they may be required to enter a PIN or authenticate from a mobile app in addition to entering their username and password.
  The fact is, passwords alone aren’t secure enough. You need MFA. But MFA should be combined with SSO. Otherwise, you’re adding more steps for users to login while still also requiring them to login many times per day.
• Fast provisioning systems—When you move to Zero Trust, you’re going to need a system that lets you quickly provision and de-provision users for applications. Since you’re going to least privileged access, expect to have to make exceptions regularly. So, if your current system of provisioning is time-consuming, things are only going to get worse when you move to Zero Trust.
• Device protection—The device the user is logging in from is the first line of defense and the focal point of attack: the endpoint. So, look for tools that protect and monitor devices so that you can offset the danger at the source.

That’s it. Those are the four principles and four tools to consider first when moving to Zero Trust.