Zero Trust or Zero Trust network, a model though created in 2010 by John Kindervag, has seen a boom in the recent years. The top industry leaders and executives are increasingly implementing Zero Trust to protect enterprise systems from the continuous data breaches. Zero Trust is cited as the ideal frameworks for cyber security solutions. With Zero Trust Architecture in place, a model for effective security is sorted!
So why the fear of security? Cyber threats and data breaches have reached an all time high – hackers have become sophisticated making it difficult for security professionals to deal with them. Cyber threat refers to the unethical attack on a network to gain unauthorized access to a network, damage or disrupt information or steal intellectual property or other sensitive data.
Is it necessary to protect from threats which cyber security risks? A recent study as found that the average size of data breach increased by 1.8%, costing an average cost of about $3.92 million. With increased connectivity and cloud systems on the rise, cyber attacks are much more than in the past. Coupled with this the business decisions taken by business leaders which makes their data more prone to attack, thereby creating a huge identity crisis. With increased data on the cloud, comes the risk of high exposure. It is, therefore, very important to protect data! When it comes to fighting cyber threats and prevent breach of sensitive data, Zero Trust Architecture is considered to be the best approach.
So what is Zero Trust? As the name suggests, it is no trust – Completely Zero Trust! Zero Trust is basically the concept of verifying before trusting – not everyone is giving access. Anyone or anything within or outside the perimeter of the network is not given access, but must verify everything before connecting to the system.The framework within which this works is the Zero Trust Architecture (ZTA).
With the increased risk, how effective or safe is the ZTA? To understand this, it is necessary to understand the Zero Trust approach. Zero Trust works on two basic principles:
- Least privilege access, which indirectly works on multi-factor authentication (MFA) or at least a two factor authentication. It does not differentiate between an insider and an outsider trying to access. This is the best way to enforce security in the system and protect critical data
- Micro segmentation – Break down the network into multiple zones – access to one zone does not entail access to the entire system. Specific access to individual zones ensures overall safety of the perimeter and does not compromise the security concerns. Any one seeking access will be validated to access only the part of the network they are authorized to work on
While the base on which Zero Trust works is strong, how does one ensure that this framework is indeed safe and effective? Charlie Gero, CTO of Enterprise and Advanced Projects Group at Akamai Technologies in Cambridge, Mass, agrees, saying “If you want to stop breaches, zero trust is the best way how.”
- Security for a connected world – The Zero Trust concept does not assume the aunthenticityof those inside the perimeters. Organizations defend their perimeters, but not the network within the perimeter. The age old castle- and-moat approach is not longer working. One of the top reason for hackers to exploit data is because once they breach the perimeter, cruising through the internal network was not a task. Default connections and accesses are the key to a fail point. What was internal for a long tome, is no longer within the company. Data storage on the cloud is very common today, which further intensifies the issue of breach. Here is where the least privilege and micro segmentation of ZTA help grant minimal access to anyone, thereby providing a secure environment.
- Contextualize requests – Every request must go through multiple level of authentication as per ZTA. However, the reason behind the request for access also plays a crucial role in granting the access. Continuous review and approval of such requests will help understand the intent behind each access required.
- Audit everything – A trail and record of all the sessions allows you to audit all access requests and also be reviewed or used as evidence as and when required.
- Adaptive controls – Apart from all the above, Zero Trust framework needs to be adaptive to risk. Access request from a risky location should be denied or approved after extra layers of authentication.
Developing Zero Trust security is not just about implementing the technologies or softwares involved in it. It is all about strategically deciding and cultivating the thoughts in each employees’ mind about the new way. It is not an overnight accomplishment and old patterns have to transition smoothly into the new system. This might all seem like a lot of hard work, but well, the effort is worth it and this should be the top priority to have a safe connected world! Any company using the traditional strategies to counterattack cyber crime – this is the right time to look into Zero Trust!