Zero Trust. An Overview

Many businesses operate a 'verify, then trust' model, permitting use to any app or device and to any user with the correct credentials.

Because of this, businesses are often left open to threats such as data breaches and malware. This is where the network security concept of zero trust comes in. Here’s how it all works.

What zero trust is

It’s focused on the idea that systems shouldn’t automatically trust anything inside or outside the security perimeter. It’s about being certain who the user is. Never trust, always verify. It offers better security than technology relying on outdated trust principles such as VPNs. To achieve this, a few different principles and technologies are aggregated.

Least privilege

This is the idea of limiting access to only what is 100% necessary. Only the bare minimum level of rights and security clearances allow a process, application, system or device to function.

Micro-segmentation

Traditional “castle and moat” security is flawed. Once security is breached, say, by hacking a password, a hacker has free reign within your entire system. With micro-segmentation, security perimeters are split into smaller sections. This means different areas of the network require different authentication. One hacker breaking into one segment can only do damage within the segment they’ve hacked.

Multi-factor authentication

Think of it as a digital double/triple lock. It’s the act of authenticating a user’s identity by asking for multiple credentials. Instead of just asking for a username and password. MFA may ask for anything from an extra security question to a fingerprint. Using biometric data like facial recognition, fingerprint, or retina scans is particularly effective as they’re impervious to a brute force attack.

Implementing zero trust

Here are the five steps to make zero trust a reality in your business.

1) Define what to protect. This means outlining the applications, assets, etc., that are most crucial to your business, the last things you’d want falling into the wrong hands.

2) Map the transaction flows by viewing and noting how traffic moves across a network. This will give you insight into how to achieve optimal security and cause minimal disruption within your business.

3) Design the zero-trust network. This will begin by adding a next-generation firewall to act as a segmentation gateway. From here, you can add additional layers of inspection and access control.

4) Create your zero-trust policies. This involves getting super detailed about who your users are, what applications they need, why they need them, and what controls are needed to secure their access.

5) Monitor your networks. Here you inspect and log all traffic so you can optimise the network over time.

Certain technologies support zero trust. However, achieving it has more to do with a general attitude than adhering to a checklist. It’s a constant process of staying up to date on what allows you to never need to trust a user and how you can always verify them.