Let's be clear: we know Zero Trust isn't new. Your organisation may not have implemented Zero Trust yet, but the industry has talked about it for over a decade. And, since the National Cyber Security Centre (NCSC) in the UK recommended in 2019 that companies adopt the zero trust principle for their security strategy, it's moving higher up the security agenda.
Confusion exists around viewing security in traditional ways versus the BYOD model and the cloud technologies organisations also deploy. Implementing zero trust requires BYOD devices are authenticated and authorised before connecting to your network, with secure access gateways deployed for cloud resources. However, organisations are often racing to adopt new technologies without considering the security behind them.
Many organisations are still shying away from zero trust - even though they understand it's important. Mostly it comes down to fear: fear of the unknown and fear of getting it wrong. It's understandable, but if we take Zero Trust back to what it's all about, you'll see there's no reason to shy away from Zero Trust anymore.
What is Zero Trust (really)?
Okay, we get it; you've heard about Zero Trust before. Almost everyone in the industry already knows about Zero Trust, what it is and why it's important. But, the problem is the message isn't getting through; too many companies are still avoiding implementing Zero Trust.
It is pretty simple: do not assume. And that's it.
Zero trust means having no assumptions at all:
- You do not assume the computer trying to connect to the network is one you can automatically trust.
- You do not assume the data coming into your network is correct.
- You need to verify this and be 100% certain that this data is required, allowed or correctly generated.
IIt means you only have to do one thing, you have to protect and not trust anymore. It's a complete turnaround in thinking about your security.
Why do we need Zero Trust?
Eliminating the trust in the perimeter as the secure edge of your network means that you would assume that nothing "bad" will happen on the "inside". That is a very wrong assumption, leading to various kinds of attacks.
Many years back, the Standard Firewall Configuration had at first two definitions: inside and outside. It automatically assumed that everything inside is automatically trusted, and it's how things were done. There was no inspection done on the inside of the network, only on the outside.
A lot can be secured and protected inside the network; granting outside access to inside applications is configured with trust and assumptions of "good" network access intentions. The modern way of providing access is a sequence of device profiling and verification. Communication is encrypted, and then the data coming from this device is "trusted" and forwarded to the internal network. But is it verified on all levels without any MiTM or device profile mimicking? Wouldn't it be a lot easier not to trust anything at all? And only accept the data that is needed for the process to operate? Enter Zero Trust.
Companies need solutions now that do not connect to the network and don't assume the user's identity. They have to prove it, not by using a password, but by certificates.
These same credentials are then also used for encrypting the data. Whenever there's any interrupt in this authentication and encryption process, the connection is dropped - this is the authentication part and, preferably, doesn't enable network access. Instead, start with opening an application, and this application will forward the data toward the endpoint. There's no network connectivity, and there's only data going back and forth, so only the relevant part of the data is there.
What's stopping you from implementing Zero Trust?
What is it that stops you from implementing Zero Trust? Is it a complexity thing? Is it a time thing?
The temptation is to delay because there's no immediate implication for not doing it today. Next week becomes next quarter, and you never quite get around to it. But then, before you know it, Zero Trust suddenly becomes a priority because you've been attacked, and your company wants answers about why they were left vulnerable.
The chances are, if you don't have a clear implementation plan, guidance on best practices or support through the process, it can feel like a massive project. IT people often try to do multiple projects, especially in smaller companies with limited resources; you have so many things on that it's very easy to delay internal projects - especially if nothing is visibly broken. However, educating yourself on the principles behind zero trust builds confidence.
Zero trust provides higher security from the endpoint right through to the application than traditional approaches. By constantly authenticating and authorising, it's possible to securely enable your mobile workforce, reduce data losses and improve productivity with streamlined access.
Undercover how you can confidently implement zero trust and download our free guide: How G/On provides a giant leap into the Zero Trust era.