Zero trust is a concept that is discussed much in the cybersecurity industry. Over the past couple of years, almost every organization has jumped on the zero trust bandwagon in some capacity. So what is the concept of zero trust?
The Zero Trust Model
The basic understanding of zero trust is that no matter what security measures or technologies you have in place, you must presume, from a security perspective, that the bad guys are on your network and have access to your data. You can’t trust anyone because bad actors are on your network; you need to check what’s going on from an access perspective.
The Five Steps
And that’s what you need to do across five main categories. First, you need to test and validate the device that connects to your systems and data. Second, you must create a user-related contextual relationship. Third, you need to understand each application and authorize it. Fourthly, you need to know the network to which the user is connecting. Is this safe? Is it open? And then eventually, and perhaps most critically, you need to be able to recognize risks and remedy them.
As you need to be able to do all of the above in an ongoing and compliant way, Zero trust is a journey. This isn’t a final destination. And while it could take many years to completely achieve zero trust, the COVID-19 crisis has greatly accelerated this journey for all organizations by pushing employees and IT infrastructures beyond any given perimeter of the network.
Employees these days use their mobile devices to connect from home to business services. What do you know about such home networks? What do you know about the devices your staff use? What do you know about those devices’ threat posture? What do you know about mobile apps that link your organization to various services and systems?
In this modern work from anywhere world, zero trust is more relevant than ever before. Employees could link to a network under the control of an organization in a traditional office setting. Now, all that is happening remotely, of course. So in order to protect your infrastructure and data, what contextual relationship can you set up with your users?
The Three Approaches
There are three different ways of achieving zero trust. The identity-centric approach, which is also very password-centric, is there. There is the old network approach, which includes funneling everything back through a network gateway. However, this technique is not comprehensive since a significant portion of corporate data does not move through the corporate network. And then there’s the mobile-centric approach, which is by far the best way to protect the new Everywhere Enterprise, where workers, IT infrastructure, and consumers are everywhere, and access to everything is provided by mobile devices. A mobile-centric approach to zero trust protection helps organizations to create trust beginning with the smartphone of the user.
Organizations must first seamlessly onboard, and provision devices in a single endpoint management platform in order to achieve zero trust across the five main criteria described earlier. Next, companies need to make sure that all devices are protected and equipped with policies that comply with their requirements for information security. Besides, companies need to allow safe on-site and cloud application connectivity. They will need to ensure safe conditional access to ensure access to business resources is only allowed to registered and compliant users, devices, and applications. For secure user authentication, organizations may enable password-less Multi-Factor Authentication.