Theresa Lanowitz, director at AT&T Cybersecurity, pictured, offers six key elements of Zero Trust.
The Zero Trust concept is being widely adopted by organisations to help make the transition from traditional perimeter-based security to more modern architectures. The recent AT&T Cybersecurity Insights Report finds that 94 per cent of survey participants are either researching, implementing, or completed implementation of Zero Trust. Indeed, the Zero Trust journey is well under way!
For those unaware of the Zero Trust framework, its core belief is that the traditional “four walls” of an organisation are no longer secure. The fundamental tenet of Zero Trust posit that actors, systems, or services operating inside the security perimeter should not be automatically trusted; and everything, whether coming from inside the organisation or outside, should be verified before being given access – trust nothing and verify everything.
This principle is based on core values that observe the network as being hostile and under constant threat. As such, policies are developed to limit the level of risk. The Zero Trust framework can be summed up into five rules:
1. The network is always assumed to be hostile;
2. Threats, internal and external, always exist on the network;
3. Network location is not sufficient for determining trust in a network;
4. Every device, user, and network flow is authenticated and authorised; and
5. Policies must be dynamic and derived from as many data sources as possible
Yet, there are areas to be aware of that security professionals need to consider when adopting a Zero-Trust framework. Success of Zero Trust hinges on how the organisation views security from both a business and technical point of view. Delving deeper into what makes a Zero Trust framework successful is the technology enterprises deploy to enhance their overall maturity. As a minimum, there are six that should always be included:
Network segmentation – This is considered the foundation on which Zero Trust is built. By breaking down or segmenting networks into smaller networks, organisations are removing the weakness of a network model where everything is trusted. If networks are not segmented, all a hacker needs to do is exploit a single network to gain access to the sensitive data, and the wider infrastructure, in one sweep. Network segmentation removes this issue and restricts access to critical systems to only those that require it.
Identity and access management (IAM) – IAM grants access to information that meets a set level of identification and authorisation. This leverages a degree of multi-factor identification to ensure only those that are verified are admitted access to data and systems.
Firewall and least privilege access – Viewed as an additional layer that operates similarly to network segmentation, this technology acts as a buffer to information and only permits access to those that have genuine business needs. For instance, a systems engineer would not need access to sensitive human resources data, such as salaries, to carry out their job.
Data security –Data security is necessary to ensure data breaches and leaks are avoided, especially as enterprises implement more IaaS (infrastructure as a Service), SaaS (Software as a Service) technologies, and edge computing. With these internet-connected systems, malicious actors have more access points to exploit and steal sensitive data. Data security also helps organisations comply with global data privacy and security regulations like GDPR and CCPA.
Configuration management – Often, security departments have limited resources and manpower, so investing in a robust configuration management system will provide an inventory of known devices connected to the network. Furthermore, it contains automation capabilities for implementing security policies that may be missed by humans. Reducing human error is a big part of implementing Zero Trust.
SIEM (Security Information and Event Management) – SIEMs provide the necessary visibility an organisation seeks regarding its security environment in one centralised viewpoint, allowing the security team to take action and deter potential threats in real time.
What should you be mindful of on your Zero Trust journey?
There are two areas that organisations need to be cognizant of when moving to Zero Trust: leadership and investment. It takes time for Zero Trust to be operational and fully engrained into a business architecture and overall mindset. Patience is required to guarantee everyone is following the framework. Implementing a Zero Trust model will require investments to deliver the necessary cybersecurity practices, policies, and procedures. This entails rethinking the security outlook already set. Such a project will need a committed leader with a vision at the executive level who understands the relationship between security and business; with one, you must have the other to be successful.
As the cybersecurity landscape continually evolves, organisations will need to adjust to threats, especially as new ones emerge. Thus, seek trusted cybersecurity consultancy advice to understand how to best implement a Zero Trust framework so that your enterprise benefits in the best way possible. For instance, it may be recommended that a company enlists the help of a managed security services provider (MSSP) to handle all security services including technology and threat intelligence. Each organisation will be unique in its needs, and one should never be discouraged to gain external advice. Remember, Zero Trust is a continual journey, not a destination.
