You may have heard the term ‘zero trust’ being used more frequently these days within the world of security what exactly does this mean, and what practical steps can be taken for the mid sized enterprise?
Zero Trust has evolved from a general trend which you may have noticed happening within the IT landscape over the last decade or so. Looking back, there was a time once where all the organisational IT assets were within what could be called the ‘perimeter’, i.e. your organisation would have IT assets in the offices and also within the data centre, which would contain the servers running applications. This would create a fairly simple demarcation with regards to security – everything outside your network = insecure, while everything within the network was secure. The border between secure/insecure would be filled with firewalls, proxies, etc, and security was largely regarding making this wall between the insecure and the secure as strong as possible.
The trends over the last decade with regards to the adoption of cloud has flipped this security model. Whereas prior you would have 80% of traffic internal to the corporate network and 20% external, it is common nowadays to have this reversed with the adoption of SaaS and cloud platforms, such that 80% of corporate traffic is directed away from the corporate network and over the internet and only 20% to corporate managed data centres.
Adding to this is the newly mobile workforce, whom may be working from home and also via publicly available Wi-Fi. While VPN solutions may protect traffic from this type of worker to on premise destinations, what of traffic between this type of worker and tools such as O365 and G-Suite, which passes over the internet only? How can this be protected?
The core tenant of zero trust is that security should be verified at all times rather than relying on user or resource location. While there are many solutions within the zero trust landscape, the following are common building blocks which can be used by medium and large enterprises alike
- Use multi-factor authentication, regardless of the location of the user or if the resource is internal or external to the corporate network
- Use managed devices as an input into application authentication. Rules can be created to only allow access to applications from only trusted corporate managed devices
At CISOaaS we have assisted many organisations reframe their security posture to move towards zero trust principles – if you are interested please contact us for an obligation free consultation session.