Why Zero Trust is a big step to zero worries

A simple unsolicited email, a couple of clicks from an unsuspecting staff. This is often all it takes for a ransomware attack to be carried out, resulting in disruption to business operations and the potential for incalculable harm.

What we’ve seen in the media over the past few weeks serves as a powerful motivator for the introduction of a Zero Trust approach to cybersecurity. This is where the default setting is that nobody is trusted, and you must prove yourself to be trusted, so the chances of somebody doing or accessing something unauthorised is all but eliminated.

Conceptually, Zero Trust is easily understood. Essentially, no person and no system is trusted without verification, not even those on premises. There are strict access controls required to verify identity, and without the correct responses you aren’t getting in.

So, conceptually, no problem.

The issue lies in the implementation of Zero Trust. Organisations and people today operate in complex environments, where there are multiple systems and countless interactions between people and systems, and systems and systems.

So far so good, but if every interaction requires authentication, it quickly becomes cumbersome and a potential roadblock to getting things done.

There’s another crucial issue too. People like being trusted and they have come to expect trust as a right at work. Levels of trust have increased greatly at work because of lockdowns and proven continued productivity, and Zero Trust can seem like a step back. Not only do people see the need for constant authentication as a barrier to getting work done, but they can also see it as an affront on their dignity.

In the classic people, process and technology triangle, the first trick in implementing Zero Trust is that it doesn’t get in people’s way. The second and harder part is creating a cultural mindset where people accept we must do things differently with perimeter security to reflect how the cyber world has changed.

It isn’t the case any longer that some systems or personnel can be trusted. If an organisation is hacked and compromised, somebody inevitably let it in. There’s brand, reputational and financial damage at stake, all of which can be crushing.

Zero Trust in the real world: The COVID-19 case

This is precisely where Zero Trust comes from, says Matt Green, Head of Cloud Technology and Delivery at EMRGE. He says that where once we had a ‘hard shell’ (firewall) and ‘soft centre’, it’s now assumed that threats and dangers are all around us.

He explains it brilliantly with a COVID analogy. Instead of assuming things are safe, we instead assume there’s always a threat present and that we need to deal with it. By having ‘zero trust’ that anyone is COVID-free the risk is reduced. And like COVID-19, achieving pervasive cultural buy-in across the organisation is essential to success.

Matt says Zero Trust should be approached the same way as health and safety. H&S policy is embedded in all boards, and it should be the same with cybersecurity.

Automation and convenience are paramount for a sound Zero Trust implementation. When someone needs to access an application or service they should do so with ease, using techniques such as two-factor authentication which makes verification simple and intuitive.

As for back-end systems, Zero Trust demands that each connection between assets and programmes is assessed and verified, with continuous monitoring. No network location is trusted.

Zero-Trust works for all businesses

Hilary Walton, Chief Information Security Officer at Kordia, says that every organisation can benefit from zero trust. Given the pervasive reality of cybercrime and the fact that any organisation is a potential victim, Zero Trust is the best way to provide protection.

That’s especially the case as more organisations move towards hybrid infrastructures and dispersed workforces where the perimeter has expanded into homes and other remote working locations.

Hilary explains that the introduction of Zero Trust is a journey, and one in which directors should closely follow. It should start as a broad strategy, with acknowledgement that there is no ‘one size fits all’ approach. Information security is and always has been about mitigation measures appropriate to risk profile.

She also emphasises that implementing effective Zero Trust cyber security is a two-pronged approach, with protective measures and recovery measures both equally important. We must always assume someone entering our systems is foreign until proven otherwise. This means it won’t be a surprise if you’re confronted with an unwanted visitor, because it was always expected.

The risks associated with a move towards a Zero Trust architecture are obvious.  Done poorly, it will increase costs and make operational systems more complex. It can also ruin user experience.

But done correctly, Zero Trust offers an opportunity for substantially reducing risk because it makes it so much harder for the bad players to get anywhere.

Even if they get in, the complete absence of trust means they simply cannot do anything. And that keeps your computers humming.

Author: Peter Bailey, GM Aura Information Security