Protect your organisation with zero-trust security

The New Zero-Trust Security Framework

Historically, most organisations used a “castle and moat” model to ensure network security. Users and devices located inside the network perimeter were trusted by default, and those outside of it were not. This made sense when most or all equipment and employees were on-prem, ensuring a clearly defined network perimeter.

Over the past decade, cloud computing and mobility have fundamentally changed organisational data environments, chipping away at the “castle” and blurring the network perimeter. The final death blow for “castle and moat” was the COVID-19 pandemic, which forced organisations to rapidly scale their network and security capabilities to support widespread remote work.

The “network perimeter” wasn’t just blurred; it no longer existed. The castle was in rubble, the moat drained, and organisations began moving toward modern zero-trust network access.

Understanding Zero-Trust

The zero-trust security framework is centered around three core principles: assume breach, verify explicitly, and ensure least-privilege access.

Instead of implicitly trusting all users and devices within the network perimeter, zero trust doesn’t trust any of them. Zero trust assumes that all users and devices could potentially be compromised, and everyone, human or machine, must be verified before they can access the network. Once logged onto the network, users should have the minimum amount of network access they need to perform their jobs, and no more.

When deployed properly, the zero-trust model gives IT administrators full visibility into all users, systems, and devices, helps ensure compliance with industry and regulatory mandates, and helps prevent cyber attacks caused by compromised user credentials.

Why VPNs and Zero Trust Don’t Mix

When the COVID-19 pandemic hit, organisations were forced to rapidly scale their network and security capabilities to support widespread remote workforces. Because this change occurred suddenly and with no notice, many organisations simply deployed more of what they already had. Frequently, this meant using VPNs to secure remote connections.

When remote access was limited only to very specific use cases, VPNs worked well enough, but when organisations attempted to scale them up to meet the needs of entire workforces, their shortcomings quickly became apparent.

VPNs don’t scale well at all. They’re also expensive and plagued with latency, reliability, and availability problems. They require a lot of administrative overhead, and they’re extremely difficult for end users to use. Perhaps worst of all, most of them don’t support zero-trust network access.

How to Implement Zero Trust

There are no universal “zero-trust implementation” standards, and knowing where to start can be challenging. However, the following best practices are universal and will help you map out your organisation’s zero-trust journey.

• Commit to zero trust long term – Technology, workflows and threat environments are ever-changing and becoming more complex. The same goes for zero-trust architecture.
• Ensure upper management is on board – All levels of leadership must be on board and have a strong commitment to implement zero trust. A study by CRA found that organisations that were highly successful at implementing zero trust reported receiving support from upper management, whereas organisations that lacked support struggled.
• Start small – Start a zero-trust deployment by first migrating low-risk business resources, then move to more critical resources after your team has more experience with the process.
• Focus on IAM first – CRA found that Identity and Access Management (IAM) was the most frequently implemented zero-trust component by organisations that were highly successful, with 86% having applied zero-trust strategies to their IAM processes and controls.