In the past, security professionals relied on traditional perimeter security such as firewalls to prevent unwanted access to their data.
Today, traditional perimeter security is irrelevant due to the adoption of cloud-first strategies and flexible working approaches, which has blurred the line regarding where that perimeter exists.
The pandemic and cloud-first technologies have expedited this move to an extended perimeter, which has driven cyber security professionals to prioritise a zero-trust strategy for many organisations.
So the question is: what is this perimeter?
In this blog, we will cover some of the bases of Zero-Trust, such as:
- The Pillars of a Zero-Trust strategy.
- Getting started with Zero-Trust.
- The Zero-Trust maturity curve.
- The evolution of Zero-Trust between March 2020 and April 2021.
- The challenges of Zero-Trust and how to automate the challenges.
Zero-Trust is a Process, not a Solution
Zero-trust is a security framework requiring all users to be authenticated, authorised, and continuously validated. This means that a collection of cyber security processes works alongside or is built on a foundation of strong IT capabilities.
Zero Trust assumes no traditional network edge, which means that it addresses the modern challenges of today’s business. Some examples of IT capabilities building the foundations for Zero Trust are identity management, authentication, and asset management.
Simply put, Zero-Trust is a security concept based on the premise that organisations should not trust anything inside or outside their perimeters and should instead check anything attempting to connect to their systems before providing access.
Zero-Trust Security Model
Before implementing a Zero-Trust strategy for your organisation, you must know the steps to get started. These steps prepare your organisation for this long journey toward a Zero-Trust model.
Below are five steps every organisation should take when building a Zero-Trust strategy to improve its security posture:
Setting Goals
Organisations must ensure a clear set of defined goals.
The first goal is common sense; however, an organisation must shrink ‘implicit trust zones’ to achieve the second goal.
Identify what must be Protected
To do this, identifying the core areas of Zero-Trust is necessary. CisoMag suggests that these are:
- Enterprise identities and devices.
- Enterprise Resources.
- Trust Verification Systems (Policy Decision Points (PDP) & Policy.
- Enforcement Points (PEP: Policy Enforcement Points) and policy engine).
However, it is also essential to identify your organisation’s data and entry points. Organisations must clearly outline access points before assessing an organisation’s Zero-Trust readiness or outlining their strategy.
Assess Zero-Trust Readiness
Finding where your organisation sits on the Zero-Trust maturity curve is essential to evaluating the maturity levels of the network, endpoints, data, and user identity.
The best way to do this is by taking this Zero-Trust assessment.
Build Architecture Policies and Limit Access
Your organisation structures network devices and services by building architecture policies and limiting access to enable a Zero-Trust security model. These design principles create a framework for a Zero-Trust strategy.
Some of the main principles which organisations should use are:
- Default access controls are set to ‘deny’.
- Preventative techniques are in place to authenticate all users and devices.
- Real-time monitoring and controls work to identify malicious activity and threats to your organisation.
Maintenance
As with many security strategies, maintaining what is inherited is necessary. Maintenance helps your organisation maximize its security and continuously monitor environments to protect it from malicious attacks and other cyber threats.
The Zero-Trust Maturity Curve
Adopting a Zero-Trust security model is a lengthy process with several stages. Where you sit on the maturity curve can help you understand which step is next on your journey.
Fragmented Identity:
- Active Directory on-premises.
- No cloud integration.
- Passwords everywhere.
Unified IAM:
- Single sign-on across employees, contractors, and partners.
- Modern multi-factor authentication.
- Unified policies across apps and servers.
Contextual Access:
- Context-based access policies.
- Multiple factors are deployed across user groups.
- Automated provisioning for leavers.
- Secure access to APIs.
Adaptive Workforce:
- Risk-based access policies.
- Continuous and adaptive authentication and authorisation.
- Frictionless access.
What we have seen between March 2020 and April 2021
Undoubtedly, the pandemic and a new way of remote working have pushed the idea of a Zero-Trust strategy forward. A remote workspace has resulted in a massive tactical shift and a more strategic approach to investing in recent technologies.
Okta’s Whitepaper ‘The State of Zero Trust Security 2021’ published June 2021, suggests that:
As a result, the prioritisation of Zero-Trust has increased throughout the past 18 months.
Challenges of a Zero Trust Strategy
Zero-Trust is a lengthy technology and security awareness process that creates a comprehensive strategy for an organisation’s accessibility. However, with a comprehensive approach come many challenges.
Passwords vs Passwordless
One of the fundamental issues is what to do with passwords.
Due to security concerns surrounding post-it note password keeping, many organisations have time-consuming helpdesk requests for password resets and perimeter issues. This manual way of keeping passwords has become increasingly problematic due to increasingly dispersed perimeters with remote workers.
However, organisations remove the post-it note problem by utilising a passwordless approach. Doing so can remove an attack vector, helping to take one step toward a more robust strategy.
There are many benefits to a passwordless approach, such as utilising more secure access such as biometrics. Using biometrics helps secure the perimeter, removes ‘password fatigue’ from the employees in an organisation, and simplifies the user experience.
Cloud-Based Technology
Undoubtedly, cloud-based technology is frequently used due to a remote workforce and an increasingly modern working method.
However, this new type of technology comes with a new security problem. Cloud-based technologies have created a new access point, meaning organisations must know who has permission to access this unique area.
Utilising awareness and identity technologies can be one way of doing this
Adopt a Zero-Trust strategy with Sapphire
Adopting a zero-trust strategy can help organisations resolve many more problems. Get in touch for guidance on any issues your organisation faces.