The Zero Trust Security Model explained
Jungle IT Ltd
We develop future-ready IT strategies that prime businesses for success.
Humans are lazy, we all are, it's been studied, documented and evidenced time and time again.
Zipfs Law or the Principal of Least Effort (PLE) reveals itself in all our daily behaviours, if there's a faster, simpler way to accomplish a goal, that’s the one we choose.
Of course, we never consider these shortcuts as “lazy”, we label it as being efficient, fast, productive. For most of us, adopting this approach in our daily lives does not carry much risk or consequence. In IT, adopting the principle of least effort can be an extinction event.
Most cyber security incidents derive from exploiting human behaviours, because humans sub-consciously act to preserve energy, and seek the path of least effort.
We click on the link because we hastily read the email, and it looked OK. We struggle to recall passwords, so we use the same one. Everywhere, for everything.
The Zero trust model: A safer approach to managing cyber security risk
So, how can we control the consequences of our Darwinian instincts? Don’t trust anybody or anything! Simply put, zero trust!
It sounds Orwellian, but Zero Trust is the principle of:
Zero trust emphasises the importance of refraining from trusting someone or something, device or service, just because of their location, whether they are in the office or on a network.?
The Zero trust model suggests every user, every device, and every system should be untrusted until proven otherwise. We verify and we validate, continuously.
Three fundamental elements of the Zero Trust Model?
There are three main points to think about with regard to users and their Access Devices.
1. User to Device
A device must only be unlocked after the user has successfully authenticated against it using unique credentials. With desktops, notebooks, tablets, and phones, a password or PIN is the primary method for unlocking a device.
Facial recognition, fingerprints or other forms of biometrics, provide a more secure authentication method. It is recommended to use this level of authentication only to access the device and not for additional services available via the device.
Many devices have restrictions on unlocking, such as a 6-digit PIN, so it is essential to implement secondary authentication for services.?
2. User to Service
When authenticating against a service, stronger controls should be implemented. Opt for stronger passwords that have a minimum of 12 characters. Read our password security best practice tips for more insights on creating secure passwords.??
Besides passwords, additional security measures should be used to verify that the credentials being supplied are from the actual authorised user, not someone impersonating them, for example, through a hacked or stolen password.?
Multi-Factor Authentication (MFA) requires an additional verification step to be taken before access to a service is granted. With MFA a code is usually sent to a third device that is in the requesting users possession. This is typically a phone, but can be a third email address or a hardware security key or dongle.
?
3. Device to Service
Device Health is the process that ensures the device itself is trustworthy. This process can be implicit and performed alongside user authentication. Trusted Platform Modules (TPM’s) are hardware chips commonly installed in most devices. Even with TPM, it's important for companies to ensure that the device being accessed has up-to-date cyber security patches and anti-malware protection.
Managerial and system controls?
Mistrust and skepticism should extend beyond user credentials and into consideration of other variables. A full knowledge of your architecture, your users, your devices, your services, and data locations is essential to establish a robust Zero Trust environment.?
领英推荐
1. Asset Management for work devices?
Asset Management enables you to track where your devices are, whether at home, in office, at a warehouse, store cupboard, in maintenance, or gathering dust under someone’s desk, and monitor the devices health and lifecycle status.
?
2. Policies and procedures to govern data access
Policies and Procedures should be in place to control authorisation and access to services. Policies are the foundational element of zero trust. Many security solutions provide controls over accessing location, time and device. For example, if your staff all work from 9-5 in the UK, on Windows 11 machines, you can block any access that does not meet this criteria.
Continual monitoring of user behaviours, device health, service access requests helps establish “normal” behaviour patterns. Behaviors outside of this bell curve should be investigated.
?
3. The single biggest risk to your cyber security
And, most importantly, people are the single biggest risk to your organisation. They don’t mean to be, it's not egregious, nefarious, or deliberate, it's Zipfs Law at work, and they're usually not aware of it until it's too late. All it takes is one person being are under pressure, distracted, or simply not having enough coffee. People are ultimately your biggest cyber security risk.
Training continuously on cyber security measures individuals can take in their daily behaviours and work habits can protect your organisation from those “commodity” attacks that form the basis of most successful cyber security breaches.
Train your people, have robust policies, and don’t trust any user, or device, or service, until it has been authenticated and validated.
Zero Trust Security Model
Password security best practice tips
Passwords are required for almost every platform you encounter online. Creating complex, unique passwords for every platform can be a challenge. Try these password security best practice tips to improve your online security.
Phishing tactics and how to avoid them
Phishing social engineering and cyber attacks on the rise. Find out what to look for to spot and avoid phishing attacks by following these top cyber security tips.
Physical security measures to safeguard your business
Workplace security extends beyond online security, lack of sufficient physical security can pose a huge risk to your organisation whether your employees work from home or in the office. Find our insights on improving your physical security in the workplace.
Subscribe to The Tech Jungle for more cyber security insights and advice. Keep up to date with the latest technical insights so you can drive digital transformation.