Is trust the basis for success? Not in cyber security! This is because trust is often exploited by attackers disguising themselves as "trustworthy" users. But who can you trust internally? In security, how sensible is it to place any trust at all our fellow human beings? Why is zero trust important in terms of IT security and more importantly, what is Zero Trust anyway?
Almost ten years ago, former Forrester analyst John Kindervag introduced the idea of the "Zero Trust Network" to the IT world – a concept that never rates companies as being one hundred percent secure. Security experts today identify new possibilities in the zero trust approach to IT security. Since the GDPR, companies that do not properly protect their customer data face severe penalties. Zero trust also means that data protection can be improved.
Zero trust – the cyber security revolution in security architecture
In cyber security, trust is largely misplaced. The reason is obvious: cyber criminals exploit trust to their own advantage. Trust is human, but trust in humans must not be confused with the trustworthiness of data packets in systems. Trusting a network is a vulnerability because a package that looks trustworthy does not necessarily have to be reliable.
This is why methods to control access are often used. The package is de-personalized and inspected. This prevents unauthorized data from being accessed at the wrong time. Furthermore, everything is logged and analyzed. This, in turn, makes it possible to judge whether digital behaviour has actually taken place or not. According to zero trust, trust is a weak point that should be avoided. This is where the zero trust concept comes in, because it...
- is data-centric,
- assists with the prevention of breaches of data protection, and
- offers a level of agility for modern networks that has not been possible with traditional network design.
Can absolute zero trust be a solution to all cyber-problems?
The problem with Forrester Research's zero trust model is that if you can't trust anyone, you can't exchange data with anyone! The word trust cannot and should not be completely banned from the cyber security vocabulary. The balance of the trust that remains must be put to the test on an ongoing basis. A user may have been rated as being trustworthy, but this does not automatically mean that he or she will remain trustworthy. At the next check, it may well be that they are rated differently.
Use zero trust in your cyber security to create visibility and context for all traffic across users, devices, locations and applications. In summary, then:
- Identification: If you know who your users are, what applications they use and how they connect to the network, you can put policies in place that ensure secure access to your data.
- Choose an access strategy with the lowest access rights: Strictly enforce controls to access. This significantly shrinks the routes in for attackers and malware.
- “Always verify”: Review and log all traffic at appropriate nodes on your network. This means that sensitive resources can be segmented and trust limits are set to prevent sensitive data from falling into the wrong hands.
- Add more authentication methods: These will allow you to counter attacks by the use of login information.
This way you achieve a sensible zero trust architecture
For zero trust there are a number of vendors and solutions on the market, such as one by our partner Palo Alto Networks. Zero trust architecture assists in the identification, transparency and management of devices, users, apps and other services. No distinction is made between internal and external construction.
In order to improve the transparency of data traffic, it must be verified by a next-generation firewall with decryption functions. This firewall enables micro-segmentation of perimeters, and it functions as a kind of border control for your company. It remains essential that external borders should be as secure as possible. This makes it all the more important that data is checked during the transition between different functions within the network.
Identity & access management, privileged access management and multi-factor authentication play a central role because the identity of users, devices, apps and clouds become a temporary ”anchor” of trust. Solutions for device management, data loss prevention, encryption, web application firewalls, cloud access security brokers, endpoint protection, SIEM and User & Entity Behavior Analytics (UEBA) are also part of the solution. Use a zero trust approach to identify your business processes, users, data, data flows, and associated risks, and put policies in place that can be automatically updated every time they are repeated, based on the associated risks.
An easy and playful approach to zero trust architecture with the right partner
So there is no need for a completely new security landscape for a zero trust concept – most of it already exists. The decisive factors here are ensuring that policies always take current risks into account, that blind trust is taboo and that authorizations are kept to a minimum and adapted in a dynamic way.
Do you have questions about the zero trust approach, or do you need any assistance? Together with our partner Palo Alto Network, we would be happy to demonstrate this to you personally.