Embracing the modern work culture with the Zero Trust Security Model
Before the shift to hybrid working, an organisation’s data was typically managed on-premise, where security controls and monitoring were applied to all in-coming and out-going traffic. The basic assumption was that everything within the organisation’s security perimeter could be trusted. Now that the workplace dynamic has changed, employees no longer have to visit the office building to work; instead they can access office assets and cloud resources through their mobile devices regardless of their location. The consequence of this is that the security perimeter is no longer confined to the office building walls, and valuable data transfers between SaaS applications, IaaS applications, remote devices, and IoT devices are now happening outside the corporate perimeter, it is much easier for cybercriminals to execute successful cyber attacks
The increase in data, and the number of access points to it, gives cybercriminals a wider attack surface, making cyber-attacks both more profitable and easier to undertake. Studies have shown that the average cost of a single data breach is now over $3 million. This evolving threat landscape demands a new security paradigm that adapts to the complexity of the modern environment, embraces the hybrid workplace, and protects data, people, and devices regardless of location. The Zero Trust Security model helps organisations to achieve these ambitions, as it requires all users to be authenticated and authorised at the point they access the data they want to reach, rather than assuming that because they are inside a corporate perimeter their access should be trusted. In addition, users are also required to have their security configurations continuously validated in order to access any application or data. The Zero Trust model can help to deter would be attackers because it makes accessing data much more difficult even if they manage to breach an organisations perimeter, plus it limits the amount of data they can access once they are there, making an attack much less profitable. Zero Trust principles are thus becoming a critical layer of security when organisations function in a remote setting with a growing number of endpoints.
The shift from the “trust but verify” to the “never trust, always verify” approach protects the data from bad actors and ensures the right people – and only those people – have access to the information at the right time. The approach does not let the organisation trust anybody operating within or outside the network and makes them continuously authenticate their identity.
Zero Trust is more than just a concept. It is a tangible security model with five security principles that help an organisation get the most out of its security model. A few of the fundamental principles are:
- Verify Explicitly
The basic philosophy behind the Zero Trust security model is to assume that there are attackers both within and outside the organisation’s network and that no one should be automatically trusted. Always authenticate and authorise the user at every step by asking for the login credentials after a periodic time-out forcing users and devices to continuously re-verify.
- Provide the least privilege
Organisations should provide least-privilege access to users. Providing information only on a need-to-know basis minimises each user’s exposure to sensitive network parts. This includes not allowing VPN access as it gives a user access to the whole connected network.
- Enabling Multi-factor authentication
Multi-factor authentication (MFA) is the crucial element of the Zero Trust security model. It requires more than one piece of information to authenticate the user; just entering a password is not enough to get access. A commonly seen MFA is the 2-factor authentication used by Google and Facebook. In addition to entering a password, a code is sent to the registered mobile number or email to authenticate the user.
- Continuous monitoring of devices and services
The organisation should incorporate real-time monitoring to improve the ability to detect, investigate and remediate intrusions. Real-time tracking can help organisations to detect potential breaches before they take root and start to exploit the other systems. Automation and orchestration can also benefit here in helping remediation take place quickly if an attack or breach is identified.
- Embrace micro-segmentation
Micro-segmentation breaks security perimeters into small zones to maintain separate access for separate networks. The Zero Trust model uses micro-segmentation to continuously verify and authenticate the user’s identity. An example of micro-segmentation is when a network containing various files is secured under multiple secure zones. A user with access to one zone will not be able to access another area without separate authorisation.
The recent corporate shift to embrace hybrid working is a reflection that business understands the need to provide more flexibility and choice for its workforce. Taken alongside the acceleration of digital transformation, the convergence of personal and professional devices, the adoption of cloud, and increasing use or apps, it is clear that the role of security has had to change. Whilst it has to adapt to address the Zero Trust Security principles described above, it is also important that this is not seen as a handbrake to business agility and user experience. As a consequence, there is a need for both short and long-term planning when developing a digital security strategy. Considering other critical components such as creating long-term sustainability, increasing agility and enabling growth cannot be sacrificed for short term security gains.
As such it is important to consider the Zero Trust Security model as a set of building blocks that can be implement in stages to achieve incremental gains without impacting business agility and user experience. Often such building blocks already exist as components of existing technologies already in place within the corporate IT infrastructure, it is simply a matter of enabling them. Of equal importance, when implementing the Zero-Trust security model is to know what devices, assets, services, and users you have and how they work, and to ensure that the implemented model can be applied consistently so as not to leave exploitable gaps
Zero-trust is not a simple solution that can be bought and implemented, instead it is best to think of Zero Trust is an architectural model and a concept. As such implementing the different building technology blocks such as MFA and Micro-segmentation requires the definition of a clear strategy first.
Establishing what needs to be protected (the protect surface) is essential, and should consider data, applications, assets and services. Understanding data flows between services, to identify where new more localized controls can be added without impacting business agility and user experience is also key. Equally important is defining clear access policies, the “who, what, when, where, why and how” principles of access.
Only then can organisations start to think about implementing least privilege access across the organisation, applying whitelisting, deploying MFA controls or adding micro segmentation to the network. And once implemented it is important that organisations don’t consider the job done as there is a need to implement continual monitoring of network traffic to enable a continual improvement to the model.
(The author is Mr. Sambit Chandan Dash, Country General Manager, Computacenter India and the views expressed in this article are his own)