What is Zero Trust?
Also known as perimeterless security – Zero Trust is being adopted to combat ransomware and other malicious attacks. So what is it exactly?
Zero Trust is a security concept and strategy that says trust must be continually verified for any user or device operating within a network.
How it works
No user or device should be trusted simply because it has access to the network. This is different to traditional perimeter-based security.
So how are the two approaches different? And what are the benefits of a zero trust system?
Perimeter security explained
Think of perimeter security as a castle wall. Everyone inside the wall is considered a subject of the King of this castle and therefore deemed as trustworthy, loyal servants.
One night, one of the King’s subjects gets into the King’s chamber and attempts to murder him in his sleep. That person who was deemed trustworthy turns out to be an undercover assassin from a rival kingdom.
In the same way, individuals on a network can be foreign entities posing as someone trustworthy. Once inside they are then able to navigate the network freely leaving data and systems open to attack.
A zero trust approach solves this problem.
Zero trust explained
In a zero trust network, rather than only being verified to gain access to the network users must be continuously verified when taking any actions.
Using our example, we not only have guards at the main entrance of the castle verifying who gets access but also guards at all the entrances of every room of the castle. Each person must be checked and verified again whenever they move around.
Three core principles of zero trust
There are three core requirements for a network to be considered zero trust.
Never trust, always verify
Just because someone’s on your network – it doesn’t mean that that person is necessarily trustworthy. They should be checked and authorised.
Implement least privilege
Only grant users and applications the minimum access that they need and no more.
Use micro-segmentation to keep cyber-attacks contained at the source of the breach and avoid the attacker moving laterally to other parts of the network.
Secondly, have a well-rehearsed incident response plan so that your organisation is prepared to respond to a breach. In doing so, you will minimise down time and therefore loss of revenue.
Data security in a post-pandemic world
In today’s hybrid/remote working environment, employees need remote access to systems wherever they are located.
This means the perimeter security model which situates all data within a centralised location, protected by a firewall doesn’t really make sense as a working model.
In addition, working outside the parameter of the network brings with it new data security challenges that a zero trust system solves.
The future of zero trust
Since being coined by Forrester Research in 2010 zero trust security has been adopted by organisations around the world and is quickly turning into a new standard in security.
By 2023, Gartner predicts that 60% of enterprises will phase out most of their remote access VPNs in favour of zero trust network access.