Demystifying Zero Trust
What is Zero Trust?
The age of the corporate network and a single security perimeter is coming to an end. Users are increasingly working remotely, conducting their work over the public internet. The rise of Software-as-a-Service (SaaS) apps, cloud platforms, and other cloud-based services have eroded the efficacy of using the network as the primary element to secure a resource. We can no longer rely on a single, sealed-off corporate network and afford trust to all the systems that reside within it as the boundaries between networks are now blurred.
Enter zero trust; a cybersecurity philosophy on how to think about security and how to do security. Zero trust is based upon the principle of “trust nothing, verify everything” and focusing on protecting resources regardless of where they are physically or digitally and to never trust anything by default.
Everyone seems to be talking about zero trust these days but often it’s only talking. There are very few businesses out there that have successfully deployed a zero trust architected network.
It’s no help that the topic is confusing, complex, and abstract, and the journey to a zero trust world is a big undertaking where the security benefits are hard to weigh. So what is it? Watch this short video from our partner at Sophos to clarify.
Zero trust is a philosophy
It is not a product or a solution. It’s not something you buy and install then sit back and relax. It’s not a feature you enable. It is not a single tool or technology. It’s not made by a single vendor. It is a philosophy for how to think about cybersecurity and a model for how to do cybersecurity.
The traditional model for security has been “trust, but verify.” Organizations would build a computer network, protect it with a single perimeter (typically a firewall), and trust everything that’s within the network.
But this model is flawed. Assuming everything inside is good and everything bad is outside has made a life for hackers far too easy. Once they’ve bypassed the firewall, they are able to move around the network with little resistance.
The core benefits of adopting zero trust
Adopting a zero trust model brings innumerable benefits, so, to make your life easier, we’ve picked out some of the core ones.
Control of the entire IT estate
From inside the office all the way to the cloud platforms you use. No more lack of control outside the corporate perimeter or struggles with remote users.
Manage and secure all users in the same way
By no longer seeing things as inside or outside the corporate perimeter, you can treat all users in the same way. This both simplifies IT security while also ensuring all devices and users are treated equally.
Maintain security even when you don’t own/have full control over the infrastructure in use
By using identity, location, device health, MFA, and overlaying monitoring and analysis, you’re still able to have strong security across any kind of environment, platform, or service.
Drastically reduce the movement of malware or attackers
Rather than having free rein of the entire network once they’re inside, attackers only have access to the bare minimum of systems the compromised user had access to. By continuing to distrust the authenticated user, checks will be in place between those systems, further limiting the ability to spread.
A Summary of Zero Trust:
The constant stream of news headlines where organizations have been brought to their knees by ransomware makes it very clear that a new way of architecting security is needed. Zero trust guides us to never trust something blindly. Instead, we must verify anything and everything trying to connect to our systems before ever granting access. Trust nothing. Verify everything.
Educate, don’t sell
A lot of confusion has been caused by many vendors trying to position their existing technology as zero trust systems or solutions, glossing over important facts. This leaves buyers with little to no idea about what it actually is and how to progress along the journey.
We believe cybersecurity should an integrated, interconnected system where all technologies talk to each other and share their unique insights and perspectives on the security posture of the whole network. The firewall sees things the endpoint can’t see. The endpoint sees things the firewall can’t see. By security technologies talking, they become greater than the sum of their parts.
For organizations on their journey to zero trust, having technologies that have far more insight than their traditional, independent equivalents makes it safe to tear down traditional perimeters whilst remaining resilient to today’s (and tomorrow’s) threats.