Zero trust security is a cyber security model that requires strict identity verification for each
individual and device attempting to access resources on a company’s network, irrespective
of whether they are sitting inside or outside of the network perimeter. No one is trusted by
default.
Back in the day, security was modelled around the principle of trusting everyone and
everything that was inside the network. Traditional security was based on the sentinel at
the gate approach, meaning it was hard to gain access from outside the network, but
everybody who was inside the network was trusted by default. However, with this
approach, should a bad actor get a foot in the door, they would be able to move laterally
and have access to everything inside.
This system was highly vulnerable by nature, which was compounded by the fact that
organisations no longer have their data residing in one place, but rather spread across a
slew of systems and clouds, making it infinitely more tricky to manage and secure with a
single security control.
Zero trust security principles
With zero trust, verification is required from everybody who is trying to gain access to
resources on the network, and has proved highly effective at preventing data breaches.
There are several principles behind zero trust. Firstly, there’s continuous monitoring and
validation. Zero trust assumes that there are bad actors both outside and inside the
network, so no people or devices should be automatically trusted. With zero trust, every
single user identity, privileges, device identity and security are verified, and both
connections and logins time-out every so often, meaning users and devices must be
periodically re-verified.
Another principle of zero trust security is enforcing the principle of least privilege access,
which means giving users the bare minimum access, and only to stuff they strictly need to
do their jobs effectively. This lessens every individual’s exposure to privileged or
confidential information.
Then there’s device access control, which monitors how many different devices are
attempting to access the network, assesses all devices to make sure they are not
compromised in any way, and ensures that each and every device is authorised. Once
again, this shrinks the possible attack surface.
Zero trust also makes use of microsegmentation, or the practice of dividing security
perimeters into smaller, separate ‘zones’ to ensure separate access for separate parts of
the network is maintained. In this way, separate authorisation is needed to access each
different zone, to bolster security, and limit any damage should one zone be breached.
Finally, zero trust relies on multi-factor authentication, meaning more than just one means
of authentication is needed to access the network. In this way, a password isn’t enough on
its own, nor is a biometric or a token. A combination of two or more of these is needed to
get in.
Zero trust might sound complex...
But it really isn’t. Adopting this security model can be pretty straightforward with the right knowledge and training.
Comments