Zero trust is a security model fit for today’s demands. However, getting started requires a rethink and a departure from some cherished concepts – including that of perimeter-focused security. This alone is reason enough to take a closer look and explain why companies should be looking to implement a zero trust philosophy as soon as they can. This blog post, and others to follow later in the year, will take you on a journey into the world of zero trust!
The increasing popularity of cloud and edge computing combined with hybrid working models requires a rethink of cyber security. The traditional approach with defined security boundaries that distinguish between “trusted” and “untrusted” communication is no longer sufficient. Today, ever-more employees work remotely and are thus active outside the previous “fortified office walls” and perimeters. Moreover, in addition to the core workforce, mobile workers, hybrid employees and third-party partners often need access to business applications and data. The use of BYOD and cloud services is also on the increase, which means that large parts of the company’s data traffic are no longer protected by perimeter-based security. Contemporary cyber security therefore requires greater speed and flexibility to stay one step ahead of cyber criminals. This increases resilience and enables the full operational capability to be quickly restored.
Zero trust will supersede perimeter-based security
The biggest problem with perimeter-based security is that it is static. Over the years, applications, devices and users have outgrown traditional corporate boundaries and are therefore no longer trustworthy in architecture terms. The fundamental flaw of perimeter-based security is that everyone accessing resources from within the secure perimeter is trusted – an outdated assumption, as there are many internal as well as external threats, as evidenced by the various types of insider threats – both malicious and negligent. To remedy this, companies should use the zero trust model.
Verification of identity, devices, networks, applications and workloads as well as data must become the new security perimeter. The zero trust model is based on these pillars, which works on the basic idea of trusting no one until their trustworthiness (identity, devices, networks and applications) has been verified in context (applications, workload and data). Zero trust thus puts all users, devices, applications and communications on the same security footing and explicitly classifies them as untrusted until they are verified. This verification is carried out continuously, which means that a time limit is placed on the trustworthiness. The security model also uses the principle of least privilege (PoLP) to limit what a user or device can gain access to.
In this way, a zero trust framework protects confidential company data, regardless of whether the threat comes from inside or outside the company. Whether ransomware is smuggled in from outside, employees are working in their home office, problems occur in the supply chain or partner companies have security loopholes – zero trust ensures that data is processed securely. However, the introduction of the concept requires a change in thinking in order to effectively secure IT systems and corporate data in the future.
Zero trust: comprehensive protection for identities, devices, networks, applications and workloads as well as data
Continuous monitoring gives companies precise tools that can be fine-tuned to protect the four strategic business areas.
- Identities
In today’s organisations, not only the company’s own employees, but also partners and third parties access business applications and data via managed and unmanaged mobile devices. They also use a wide variety of identities and access rights, which poses a huge challenge. There is also the risk of a proliferation of authorisations and access data, which undermines efforts in the area of secure identities in the long run. - Assets
Cyber criminals are increasingly focusing on cloud-based workloads and assets. For that reason, admins need tools to monitor zero trust policies and access management to verify the legitimacy of requests with role-based access controls and data from the context. Identifying critical assets allows companies to focus their efforts on the more important areas. - Application & workloads
Zero trust enables continuous monitoring of applications to assess behaviour and detect anomalies. Knowing the applications and connection types that are being used means that the protective measures can be enforced in a targeted manner. - Data
Controlling access to data is an essential element of zero trust. This protects users when they launch business applications and work with company data. An effective Zero Trust strategy not only enables the targeted control of accesses and authorisations, but also the detection of unusual behaviour and events. This also allows unauthorised copying of data or an unauthorised download to be detected and prevented.
The zero trust model helps organisations build an effective and adaptive security model, especially to meet the complex demands of today’s hybrid working. If you do not yet have a strategy for implementing zero trust, we recommend that you develop one now and create an associated strategic roadmap. The path to zero trust is a gradual process that can take years to implement.
The strategy should involve a zero trust cyber security framework that includes the following dimensions: identities, devices, applications and workloads, data, network and architecture, governance, automation and orchestration along with visibility and analytics capabilities. Take advantage of the experience and expertise of specialists like InfoGuard!
We will support you in developing your zero trust strategy, the corresponding architecture, the selection and configuration of suitable security solutions as well as the operation and monitoring of your infrastructure around the clock.
Get in touch – we will be happy to be at your side on your zero trust journey!
Introduction of zero trust
Integrating a zero trust model into the current IT environment takes time and effort. However, positive effects can be achieved that go far beyond traditional network perimeters and can cover any aspect of securing a company very effectively.
Zero trust is also not possible with a single solution. Instead, it requires a comprehensive approach that takes into account the complex interplay of identity, devices, networks, applications and workload as well as data. If a move into Security Service Edge (SSE) and the use of multiple cloud-based zero trust techniques are also envisaged, the time and resource requirements increase further. It is important to have a high degree of modularity in the chosen zero trust technique during the planning phase in order to meet the challenges of the constantly evolving cyber threats.
We recommend starting with small implementations and proceeding in manageable steps. An example of a procedure for implementing zero trust could look as follows:
- Set up identity-based access control
Companies must first set up an identity-based access control system that ensures that only authenticated and authorised identities and devices can access the network. It should include multi-level authentication. - Introduce segmentation
Micro-segmentation plays an important role in zero trust security, as the network itself is logically segmented into different secure zones down to the workload level (dynamic). This helps prevent the spread of malicious activity while ensuring that only legitimate identities and devices can access the relevant zones. - Monitoring and verification of identity and device activities
Companies should track identity and device activity and conduct continuous audits. This is to ensure that the identities do not perform actions that could compromise the security of the networks, applications, workloads and data, that the devices are properly configured and that all required security measures are active. - Implementation of secure communication protocols
Companies should implement secure protocols for all communication between devices, networks, applications and workloads, such as TLS for web traffic and SSH for remote access. - Protecting systems in the supply chain
Companies should take measures to protect their supply chain systems from threats, for example by encrypting data in transit, multi-factor authentication for remote access and regular vulnerability scans. - Automatic threat detection and response
Organisations should implement automated threat detection and response solutions to detect and respond to malicious activity in real time.
Your zero trust journey starts now – with the InfoGuard Zero Trust Readiness Assessment
The InfoGuard “Zero Trust Readiness Assessment” is exactly the right starting point for identifying risks and weaknesses in the current zero trust strategy or its implementation! We will show you for instance which good practices have not yet been sufficiently defined or implemented in your zero trust strategy. Discrepancies are assessed in terms of their risk criticality. Prioritised recommendations for action are developed on this basis and presented in the form of a solution path. Interested? Then we look forward to receiving your enquiry:
We will explain how zero trust can be used in cyber security, cloud, IoT and OT infrastructure, supply chain or development, for example, in another post in a few weeks. Make sure you don’t miss it by signing up for our blog update right away!