You remember the old idea of building a ‘Castle and Moat’ around your business? You’d build a strong outer wall (your firewall) and trust everyone who is allowed into the castle. Then you’d hope nothing bad happens.
While that model may have worked in the past, we can all agree that it no longer works!
In this new age of remote workers, data being stored in the cloud, and threats entering from ‘inside’ your network, your ‘moat’ is useless. The reality is that many times the worst breaches and data losses happen because of a stolen credential credential belonging to a person/employee who was already considered ‘trusted.’
The Zero Trust model of security isn’t just a buzzword it represents a paradigm shift in the way we think about security. At its core, the Zero Trust model is based on one simple rule:
Never Trust = Always Verify
It is important to understand that Zero Trust isn’t a single product or application you can install on your server on Tuesday afternoon. Zero Trust is a security framework a collection of guiding principles for building an entire digital environment.
When thinking of a Zero Trust approach, simply getting past the front gate of a high-security Government Building does not enable you to open all the doors. You will have to pass through several more doors, and each time you enter a new room, your identification will be checked to confirm your right of access to that room, and your ingress will be recorded, and your access will be recorded, just as it will be recorded for all other employees who enter that building.
For example, each access request, whether it comes from an office employee or a CEO working from home, will be treated as a possible threat until proven otherwise.
How do you follow the “never trust, always verify” rule? In Zero Trust, the answer depends on a few basic principles:
Assume that your Network is Compromised. With this assumption, your focus shifts to containing the possible damage from a compromise of your network versus simply trying to prevent an attack from outside your network. Your goal is to minimize the amount of damage a threat can cause before it is addressed.
Do Not Give Free Passes. All access requests must have verified and approved access rights and must be to the level of encryption needed at that time. A multi-factor authentication (MFA) process is not a "nice-to-have" requirement in Zero Trust; it is an absolute requirement.
Stop granting users access to everything "just in case." Grant users only the minimum access required to perform their job duties and keep their access for only as long as necessary. An example of this is an accountant does not require access to the source code server.
Users should not have the ability to move around uncontrolled within your network if they gain access to a segment on your network. Create logical walls within your network to help with that. For example, if your marketing server is breached by a hacker, the hacker should reach a dead end when they attempt to reach the server that contains your financial data.
You may be saying to yourself, "Will these things slow me down and frustrate me?", but if implemented correctly, all of these things become invisible to your legitimate users.
A phishing email may steal a password to access an account or service, but that stolen password isn’t the only thing being leveraged. That password alone doesn’t provide access to the account or service; a second factor of authentication must also be provided with the latter being the user’s device. Similarly, a ransomware infection in one department might be contained (limited from spreading) to that department, whereas it could have spread throughout the entire organization if it was coming from the Internet (not contained).
Zero Trust is not an all-or-nothing switch that was turned on overnight. There is no way to say that you are now fully “Zero Trust” after tearing your previous systems down; it is a strategic journey.
A company’s most important assets (i.e., data) should be prioritized first. You need to build the Zero Trust walls around this data, and then layer on technologies to support these policies, but the biggest step in starting to build a Zero Trust environment is changing your mindset.
The way we conduct business has changed significantly. Most companies have a perimeter allowing employees access to the corporate network; however, in today’s world, that same corporate network is now the place where employees do their work from home. This has made organizations vulnerable to security risks from employees working from multiple locations. If an organization continues to operate on the basis of blind trust, it has put itself at the highest risk possible.
In an increasingly borderless business landscape where data and services are globally available, a Zero Trust model is the logical response to keep your business' confidential information & services protected from unauthorized access. In addition to providing protection from unauthorized access to your network, a Zero Trust environment also helps organizations comply with current regulatory requirements and develop stable systems as stated in the ‘Zero Trust Model’ published by the National Institute of Standards and Technology (NIST).
For a business that wishes to implement a Zero Trust model, this type of environment is not about restricting access; rather it is intended to prevent or make it impossible for an attacker to gain access to your organizational resources.
Want to learn how to verify rather than trust?
Contact us at Ancrew Global to learn what we can do to help organizations develop practical approaches to a phased implementation of the Zero Trust model so that you can significantly improve the security of your organization.