A woman in a suit, seated at a desk, points at a computer monitor with a pen. A man stands beside her, leaning over to look at the screen. They discuss cybersecurity measures in an office environment filled with multiple computer screens and workstations.

In the past, security professionals relied on traditional perimeter security such as firewalls to prevent unwanted access to their data.

Today, traditional perimeter security is irrelevant due to the adoption of cloud-first strategies and flexible working approaches, which has blurred the line regarding where that perimeter exists.

The pandemic and cloud-first technologies have expedited this move to an extended perimeter, which has driven cyber security professionals to prioritise a zero-trust strategy for many organisations.  

So the question is: what is this perimeter?  

In this blog, we will cover some of the bases of Zero-Trust, such as:     

  • The Pillars of a Zero-Trust strategy.  
  • Getting started with Zero-Trust. 
  • The Zero-Trust maturity curve.  
  • The evolution of Zero-Trust between March 2020 and April 2021.  
  • The challenges of Zero-Trust and how to automate the challenges. 

Zero-Trust is a Process, not a Solution  

Zero-trust is a security framework requiring all users to be authenticated, authorised, and continuously validated. This means that a collection of cyber security processes works alongside or is built on a foundation of strong IT capabilities.  

Zero Trust assumes no traditional network edge, which means that it addresses the modern challenges of today’s business. Some examples of IT capabilities building the foundations for Zero Trust are identity management, authentication, and asset management.  

Simply put, Zero-Trust is a security concept based on the premise that organisations should not trust anything inside or outside their perimeters and should instead check anything attempting to connect to their systems before providing access. 

Zero-Trust Security Model     

Before implementing a Zero-Trust strategy for your organisation, you must know the steps to get started. These steps prepare your organisation for this long journey toward a Zero-Trust model.  

Below are five steps every organisation should take when building a Zero-Trust strategy to improve its security posture:  

Setting Goals 

 Organisations must ensure a clear set of defined goals.  

According to NIST 800-207, the fundamental goal of a Zero-Trust strategy is to prevent unauthorised access to data or services, which makes access control granular.  

The first goal is common sense; however, an organisation must shrink ‘implicit trust zones’ to achieve the second goal.  

Identify what must be Protected 

To do this, identifying the core areas of Zero-Trust is necessary. CisoMag suggests that these are:     

However, it is also essential to identify your organisation’s data and entry points. Organisations must clearly outline access points before assessing an organisation’s Zero-Trust readiness or outlining their strategy.  

Assess Zero-Trust Readiness     

Finding where your organisation sits on the Zero-Trust maturity curve is essential to evaluating the maturity levels of the network, endpoints, data, and user identity.  

The best way to do this is by taking this Zero-Trust assessment.

Build Architecture Policies and Limit Access     

Your organisation structures network devices and services by building architecture policies and limiting access to enable a Zero-Trust security model. These design principles create a framework for a Zero-Trust strategy.  

Some of the main principles which organisations should use are:     

  • Default access controls are set to ‘deny’.  
  • Preventative techniques are in place to authenticate all users and devices.  
  • Real-time monitoring and controls work to identify malicious activity and threats to your organisation.  

Maintenance     

As with many security strategies, maintaining what is inherited is necessary. Maintenance helps your organisation maximize its security and continuously monitor environments to protect it from malicious attacks and other cyber threats.  

The Zero-Trust Maturity Curve     

Adopting a Zero-Trust security model is a lengthy process with several stages. Where you sit on the maturity curve can help you understand which step is next on your journey.  

Fragmented Identity:     

  • Active Directory on-premises.  
  • No cloud integration.  
  • Passwords everywhere.  

Unified IAM:     

  • Single sign-on across employees, contractors, and partners.  
  • Modern multi-factor authentication.  
  • Unified policies across apps and servers.  

Contextual Access:     

  • Context-based access policies.  
  • Multiple factors are deployed across user groups.  
  • Automated provisioning for leavers.  
  • Secure access to APIs.  

Adaptive Workforce:     

  • Risk-based access policies.  
  • Continuous and adaptive authentication and authorisation.  
  • Frictionless access. 

What we have seen between March 2020 and April 2021     

Undoubtedly, the pandemic and a new way of remote working have pushed the idea of a Zero-Trust strategy forward. A remote workspace has resulted in a massive tactical shift and a more strategic approach to investing in recent technologies.  

Okta’s Whitepaper ‘The State of Zero Trust Security 2021’ published June 2021, suggests that:     

“More than three-quarters (78%) of companies around the world say that zero trust has increased in priority, and nearly 90% are currently working on a Zero-Trust initiative (up from just 41% a year ago).”     

As a result, the prioritisation of Zero-Trust has increased throughout the past 18 months.  

Challenges of a Zero Trust Strategy     

Zero-Trust is a lengthy technology and security awareness process that creates a comprehensive strategy for an organisation’s accessibility. However, with a comprehensive approach come many challenges.  

Passwords vs Passwordless   

One of the fundamental issues is what to do with passwords.

Due to security concerns surrounding post-it note password keeping, many organisations have time-consuming helpdesk requests for password resets and perimeter issues. This manual way of keeping passwords has become increasingly problematic due to increasingly dispersed perimeters with remote workers.  

However, organisations remove the post-it note problem by utilising a passwordless approach. Doing so can remove an attack vector, helping to take one step toward a more robust strategy.  

There are many benefits to a passwordless approach, such as utilising more secure access such as biometrics. Using biometrics helps secure the perimeter, removes ‘password fatigue’ from the employees in an organisation, and simplifies the user experience.  

Cloud-Based Technology     

Undoubtedly, cloud-based technology is frequently used due to a remote workforce and an increasingly modern working method.  

However, this new type of technology comes with a new security problem. Cloud-based technologies have created a new access point, meaning organisations must know who has permission to access this unique area.  

Utilising awareness and identity technologies can be one way of doing this  

Adopt a Zero-Trust strategy with Sapphire

Adopting a zero-trust strategy can help organisations resolve many more problems. Get in touch for guidance on any issues your organisation faces.  

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *