Zeroing in on zero trust’s role in today’s enterprise

It’s the buzz on everybody’s lips at the moment: zero trust. Over the past few months I’ve had more and more organisations come to me asking about zero trust security. One of the things I find myself telling people is that zero trust isn’t really something you buy, it’s more of a mindset.

A lot of security companies won’t like me saying this, but zero trust isn’t a single product or service you can simply pay for and then never have to think about again. Rather, it is a framework, a strategic approach to security that distrusts connections, devices and users by default.

That might not seem terribly welcoming, but it does make for a very effective security barrier to ward off bad actors. By adopting a ‘never trust, always verify’ mentality, organisations can implement effective security measures where even quite sophisticated perimeter security solutions might fail.

Broadly, the idea behind the zero trust model is that there are no trusted connections. Every connection must first go through a validation process. In addition, this approach establishes a foundation of strong authentication, authorisation and encryption.

There seems to be a lot of hype around zero trust. But it’s not some black box technology conjuring up an obscure science to defend against emerging threats. It’s actually a pretty straightforward solution to a lingering problem.

The traditional cyber security model is based around the idea that if someone works in an organisation they must be trustworthy. In practice this means that most organisational systems and apps are accessible. Security protection typically only kicks in if something goes wrong.

But with zero trust, you simply assume everyone is a bad actor, and then work your way up from there. At first glance, it might seem that there should be more to it than that. But it really is that simple. By adopting a different mindset that assumes everything is compromised and everyone is a bad actor, you can then begin to build appropriate mitigation strategies around that.

A lot of legacy security models that are in place are based on traditional business processes and network infrastructure. But the way we use applications has moved on from how we used to use them. For many organisations, especially after the hybrid work trend that swept through the business landscape in the wake of COVID-19, the internet has become the new corporate network. No longer are internal networks the backbone of a business’s digital footprint.

As the way we use applications has transformed over time, so the security strategy needs to change, too. With the internet increasingly playing the role of the corporate network, new challenges emerge. The internet was designed to be open. So, how do you need to treat that differently to a corporate network? By not trusting anyone on the network.

Making zero trust work

The principle may be simple, but to make the zero trust approach possible, there are some things an organisation will need to do first. To implement a zero trust strategy, siloed teams, processes and technologies need to connect and align.

At the same time, an organisation will want to have real-time intelligence to orchestrate security controls across distributed environments. By architecting security into the infrastructure, organisations can gain authoritative context of their environments through connected control points and reduce the attack surface without adding operational complexity.

While there are many components required to implement a zero trust approach, there are three important things to consider before attempting to implement a zero trust model. First, it’s essential to identify all the systems that are accessible from external networks, then list which users need access and what kind of access each user needs.

From there, it’s important to determine which systems within the network are accessible from external locations and assess what type of access each system might be used for outside the organisation. Finally, you’ll want to implement technology that prevents communications between untrusted users or devices and internal systems, except for specifically allowed communications.

The sooner an organisation sorts these aspects out, the greater its mastery of the zero trust model will be. Those businesses that have invested in the zero trust approach early on seem to have a good grasp of it. This is useful, because it makes it easier and safer for companies to have non-corporate devices on their networks – a particularly important capability when large chunks of the workforce are still working largely from home.

Under the legacy security model, it was more common for workers to be restricted to using corporate devices on the company network. In this respect, getting zero trust right actually allows organisations to be a bit more open, rather than more restrictive. This is an interesting counterpoint to the usual narrative that security must become more restrictive as threats evolve.

VMware, for example, has implemented a zero trust model, and this lets me use my personal devices at home without any real restriction to what I can do. Every time I log on, the system makes sure I am who I claim to be. But beyond that, I have no small amount of freedom. Yet this approach also stands as a foolproof way to keep suspect actors out of the network.

Modelled for scale

The most useful feature of the zero trust model is perhaps that it is eminently scalable, making it just as effective for small- and medium-sized businesses (SMBs) as it is for large enterprises. This is because the threat profile of an SMB is often not all that different from the threat profile of a large corporation. It’s just the scale that’s different.

Where an SMB might have five applications to navigate, an enterprise might be juggling 500, or even 5000, different applications at any given time. At the same time, cyber threats don’t play favourites. Many exploits come at SMBs in precisely the same way that they target larger businesses. Indeed, quite a few attack vectors involve going through smaller businesses to get to larger ones. Moreover, the data and connections SMBs claim can be just as valuable as those held by enterprises.

Fortunately, implementing a zero trust model in a smaller business is just as achievable as making it work in a larger business. In fact, in some ways it is easier, because the smaller scale makes it more manageable. Due to this difference in scale, an SMB might need to think about its approach a little differently, but its risk profile may well be quite similar to a larger organisation, so the overall strategy could look quite similar.

The good news here is that this aspect of the zero trust approach means there are some easy wins for smaller businesses. If you’re only using a handful of business applications, see if you can simply move them into the cloud, this will enable easy implementation of cloud-delivered security solutions that can be used to enable a zero trust approach. Many SMBs already use cloud-based software, so adding such functionality should be a breeze.

A lot of software-as-a-service solutions in the cloud already come with identity access features that might not be turned on by default. Implementing a zero trust approach through application identity management might be as simple as turning on this functionality.

With such levers within easy reach, it should be a relatively short step for most organisations to begin implementing a zero trust model to reduce the opportunity of attack and the potential attack surface of an organisational network, irrelevant of employee number. It’s just a matter of scale.