SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image

Why zero trust is vital in a perimeter-less environment

Tue, 22nd Oct 2024

In a world where remote and hybrid working is now a permanent feature, the traditional approach to IT security has had to evolve.

Where previously it was sufficient to protect on-premise IT assets and data behind a firewall, this no longer works. With staff working from home and increasing use of cloud-based resources, another strategy is needed: Zero Trust.  

Zero Trust is an evolving set of cybersecurity paradigms that shift defences from static, network-based perimeters to focus on users, assets and resources. It assumes that there is no implicit trust granted to assets or user accounts.

A Zero Trust strategy is based on three key principles. The first is authentication and means that any device or account seeking access to resources should be authenticated by using all available data points. These include user identity, location, device health, data classification and any anomalies that are detected.

The second principle is the concept of least privilege. This minimises user access to only the resources they require to complete their roles. This is achieved by making use of Just-in-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies and robust data protection.

The third is to assume that breaches will occur. This involves minimising the scope of a potential breach by preventing lateral movement through segmenting network access and ensuring all sessions are encrypted.

Outside-in versus inside-out
One way to understand Zero Trust is to compare how the strategy differs from more traditional security approaches.

In the past, the favoured design could be described as 'outside-in'. This meant that trust was assumed and access decisions were static. If someone had been granted access to a resource, that access remained in place until it was revoked.

While identity and access management were basic components of the model, they tended to be more reactive and manual by design.

With a Zero Trust strategy, an 'inside-out' design is used. Access authorisation is explicit with decisions made in real time. Identity and access management are fundamental to the Zero Trust model and automation and proactive monitoring is critical.

Drivers for adoption
The key factors driving the need for Zero Trust are the sophistication of today's threats and 
the ever expanding attack surfaces that exist within most organisations. Where traditionally both endpoints and servers were located on premise and protected by firewalls, this is now longer the case.

With many staff now working remotely at least part of the time, the concept of a secure perimeter is no longer correct. Assets and data need to be fully protected whether in the office, at home or any other working location.

Protection also needs to be extended to a range of other devices and services. These include everything from cloud platforms and mobile devices to collaboration platforms and Internet of Things devices.
 
The challenge of adopting Zero Trust
While it promises significant security benefits, a Zero Trust strategy does come with some challenges. They include:

  • Effort: Zero Trust is not a set-and-forget activity but instead will require continuous work. An organisation must be prepared to allocate sufficient resources to ensure it is effectively deployed and maintained.
  • Balance and scope: A happy medium needs to be found between security and productivity. When planning the scope of a deployment project, it's also important to focus attention and effort on protecting the most critical assets first.
  • Completeness: The strategy needs to be as complete as possible, however, there also needs to be a plan to cover threats that are not addressed by a Zero Trust architecture. Particular attention should be given to older, legacy systems.
  • Cost: There needs to be a clear understanding of the costs associated with a Zero Trust strategy and allocations need to be made to ensure sufficient ongoing management is maintained. 

A multi-step approach
While the Zero Trust approach is defined, there are several steps that can be adopted, many of them in line with a final zero-trust implementation.  The first is taking full control of existing IT assets.

Critical systems need to be identified, and restricted access must be put in place as quickly as possible. This will also need to be done for assets used by remote workers and data stored on cloud platforms.

Another step is to implement a consistent patching process for all devices being used. Unpatched equipment can be an easy attack vector for cybercriminals and, so applying them as soon as they are released is the best approach.

Security teams should also introduce multi-factor authentication (MFA) everywhere that is possible to improve the security of all IT assets. MFA should be used on conjunction with a password manager to help staff avoid using simple or shared credentials.

Finally, it is important to increase overall security awareness among staff and educate them about how Zero Trust will make their organisation more secure. Regular training should be undertaken to ensure that the concept is well understood and that guidelines are being followed.

With the concept of a secure network perimeter growing less relevant by the day, the time to embrace the concept of Zero Trust is now. Properly deployed and managed, it can provide rigorous protection to assets and data regardless of their physical location.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X