Zero trust is a popular talking point when it comes to security, however, in reality, end-to-end zero trust is not workable for the vast majority of modern businesses. Despite this, you can use the zero trust approach in a practical way in a real-world environment, argues Chris Cooper.
We are used to the need for vigilance and wariness in a modern world filled with complex cybercrime, malware, and threats to digital security. It is hardly surprising then, that the concept of ‘zero trust’ – i.e. not trusting anything inside or outside your organization’s IT perimeter – has become popular. It means that any device, application, or person trying to connect to your infrastructure must be authenticated first before being granted access. Let’s explore what it means in practice and which guidelines to follow when it comes to implementing zero trust.
Minimise the impact on user productivity
The first thing to consider is how to deliver the tangible benefits of zero trust in a secure cloud environment without unnecessary costs and complications. At the same time, it should be enabling effective business activities rather than holding the workforce back. You must ensure that users still have access to the applications and data they need to work effectively without disruption.
Now that working from home is commonplace, combined with the fact that many organizations now primarily exist in the cloud, there is a constant flow of digital traffic going in and out of businesses daily, all of which needs diligent monitoring. However, if your zero trust approach, with multi-factor authentication or complicated log-in procedures, makes doing business more difficult, it could well prove an own goal.
A holistic methodology, not a software solution
Zero trust has its roots in academic theory - it was first mentioned in 1994 in a paper from Stirling University. Fast forward to 2018 and American cybersecurity specialists begin highlighting zero trust architecture as a new way to approach the basics of cyber security planning.
In the years since, this approach has been heartily welcomed by cyber security professionals and CIOs globally – but unsurprisingly, there are differences in both the understanding of the term and its execution. Despite the straightforward concept, there’s no out-the-box, plug-and-play security solution that can simply and effectively enable ‘zero trust’.
Instead, enabling practical aspects of zero trust in your organization is a strategic operation, demanding careful consideration of your existing data and technology environment. This requires clearly defined policies and principles, which can be enforced when you deploy new digital elements or alter your infrastructure in any way.
Make zero trust part of an overarching security strategy
In real life, zero trust rarely provides 100 percent guaranteed security. Even though the ’zero’ implies nothing will breach your digital defences, it is unhelpful to see this as an attainable goal. Instead, we should be taking aspects of the zero trust approach and applying them pragmatically to minimise vulnerabilities while remaining cognizant of the fact that, while we might be better protected against malware, nothing is inviolable.
We are all well aware that cybercriminals are continually developing ever-more complex hacking tactics, so monitoring and addressing the latest cyber threats remains critical. In reality, zero trust won’t eliminate every security threat – phishing, and the leaking of valuable data, can happen regardless of zero trust policies.
Let’s look at a pioneer in zero trust with billions of users around the world – Microsoft. It applies zero trust principles to empower users rather than restrict them. That means allowing employees to use their own devices to access the corporate network – but with rigorous security procedures that are quick to complete. Microsoft endorses single sign-on, multi-factor, password-less authentication and the elimination of VPN clients – and you should too.
Implementing zero trust
As with most things in life and IT, there is no off-the-shelf, one-size-fits-all solution for zero trust. Every organization differs in terms of its applications, data, network and infrastructure, particularly when it comes to legacy, on-premise systems. That means you need an experienced partner to guide you on your journey to zero trust. These are some of the key topics to consider together:
- A uniform identity management solution
- Adaptive access controls
- User-to-application segmentation
- Workload-to-workload segmentation.
In practice, a successful cyber defence relies on precise, experienced planning and implementation, in tandem with ongoing, continuous improvement and monitoring in the context of an ever-changing cyber security environment. By partnering with a specialist in the field to deploy and manage zero trust protocols, you’ll have access to in-depth and up-to-date expertise which might be otherwise hard to maintain internally. Zero trust is a subject where focused support from a professional partner will undoubtedly provide value, insight, and peace of mind.
Chris Cooper is Cyber Security Practice Director, Six Degrees.