What is Zero Trust?
Zero Trust is a network security model that stops users from automatically trusting things.
What I like about this approach is that Zero Trust means applying the same checks no matter if it’s an internal or external connection. Before sharing any data, each new connection is verified before access is granted, better protecting information and controlling specific access to know people.
It is quite usual for networks have at least one firewall to separate the internal network traffic from the Internet. The traditional assumption was that all internal connections could be trusted and the bad stuff only happened outside of the network. However the risks have changed and it is time to change this approach to security.
So if now is the time to change to Zero Trust, you may be thinking what’s changed?
The primary reason for changing is the significantly increased reliance on external Internet services. Whilst users have always been a weak point in the security model, malicious software techniques are so widespread and can defeat any amount of ‘security awareness training’. It is no longer sufficient to expect users to detect and respond quickly enough to hacking events, because unlike computers, humans are forgetful, become tired and are comparatively very slow to respond.
The fact that some of the most successful data breaches have been as a result of unauthorised access and not a firewall breach should be ringing the alarms bells. Unauthorised access from within the network demonstrates that too many systems provide explicit trust and are poorly protected.
If you can accept that protecting users, and internal assets is as important as protecting the perimeter, you should consider moving towards the Zero Trust model.
We can help, if you’d like to have an assessment of your network in preparation of moving to a Zero Trust model please feel welcome to contact us.
‘If you want to reduce risk, Zero Trust is the best model available’
Changing to a Zero Trust environment, means changing from a culture of presuming internal assets are safe, to requiring all connections to be verified.
Access to the internal network should not be sufficient to access internal data.
If you’re not sure about Zero Trust security, here’s a quick thought experiment.
A Thought Experiment
Recall a recent document that you have collaborated on with someone, something like a spreadsheet or similar document.
- Think about how you exchanged the file, perhaps it was via a shared folder on the server, or via a cloud space, or as an email attachment, or a link.
- Assuming you checked the other party was genuine, what is your verification process?
Before moving to the next tab, keep the sharing process and the verification method in mind.
Tip 1: Assume your contacts have had their systems breached.
Was this ‘Verify and Trust’?
With the sharing process and perhaps a verification method in mind from the first step, let’s work out whether this relied on the ‘Verify and Trust’ model.
When a file is within a shared folder on the server or the cloud, ask yourself who else has access to this area? Verify and Trust relies on a previous trust in the storage area.
Perhaps the document was shared as an email, link, or as an attachment. Did you open it safely in the knowledge you have always trusted the other party? Could they have been compromised? Verify and Trust assumes the other person is known and their system is still protected.
The ‘Verify and Trust’ model relies on an occasional event, usually one time, to establish trust and this is the weakness that is exploited.
Tip 2: The ‘Verify and Trust’ model is easily defeated.
Interested in Zero Trust?
With the sharing process and some verification questions in mind from the first 2 steps, let’s work out what would need to change to move to a ‘Zero Trust’ model.
Start by disregarding all security promises.
- An encrypted storage area must be established, with explicit privileges and monitoring.
- Users (internal & external), must verify their identity using Multi Factor Authentication.
- System privileges must be minimised, and reported when administrators login.
- All computers must have monitored and active malware protection software.
The ‘Zero Trust’ model establishes a baseline which is proven every time access is requested.
Tip 3: The ‘Zero Trust’ model establishes a baseline which is checked every time.
Moving Towards Zero Trust Security
Moving towards Zero Security is a straight forward process. Our project approach provides task objectives which can be summarised as
- Establish an encrypted storage area with monitoring.
- Define users, with clear privileges and Multi Factor Authentication rules.
- Introduce administrator privilege login reporting.
- Control and report software security updates.
- Monitor active malware protection software.
Zero Trust Summary
Zero Trust address the internal network security and applies the same controls internally as externally.
When people share data, even if that’s only email, relying on a perimeter firewall for protection is no longer sufficient because the threats cannot be assumed to be external to the network.
The most prominent attacks have resulted in data being stolen or encrypted for ransom, and because the activity has been on the internal network, perimeter firewalls provide insufficient protection.
The problem is as much about IT culture, for example most ‘IT experts’ are trained to implicitly trust their environments and believe the firewall is keeping their internal networks secure. It is the culture of trust that needs to be changed, start by assuming the networks has already been compromised.
Sytec use a blend of skills to handle the management and security of systems, we are good at this. If you would like us to get involved and assist with you moving to a Zero Trust system, review or conduct an audit, provide training, or perform a vulnerability scan please get in touch.
Why choose to work with Sytec?
- We focus on reducing risk
- Our work and checks are seperated independent processes
- We consider compliance and security checks as the default
- You will know which engineer has access and when they took action
- You will have phone, email and face to face access to security certified engineers