Outdated assumptions that anything within the security perimeter can be trusted has made organisations more exposed to cyber-attacks. This has rendered legacy IT infrastructures ineffective for an ever-evolving IT environment and cyber-threat landscape.
Across the industry, security professionals are designing and rebuilding their strategies around a ‘Zero Trust’ approach. This approach trusts no user, device, or system, regardless of whether it is inside or outside the perimeter.
Today, you no longer need to step foot in the office building to get to work. Advancements in technology have expanded what now classifies as “the office.” Companies are now able to interface through mobile devices and cloud software, regardless of where their employees are located.
However, these developments pose a cybersecurity dilemma. The security perimeter is no longer confined to the walls of an office building. Valuable business data transfers continuously between SaaS applications, IaaS, data centres, remote users, IoT devices and more. This means cyber-criminals have access to a wide range of attack surfaces and more points of entry than ever before.
With all this in mind, it’s clearly time for a new approach to cybersecurity.
The Zero Trust Approach: Never Trust, Always Verify!
When looking to move to a Zero Trust security model, Forrester outlined there are seven key principles that organisations should focus on. By implementing these principles, organisations will be able to strengthen their security posture of “default deny” where systems are hardened and isolated until a certain level of trust is established.
1. Zero Trust Networks
When moving toward Zero Trust Security, it is crucial you “Divide and Rule” your network. Identifying your valuable assets and defining “Micro-segments” around them create multiple junctions and inspection points that block malicious or unauthorised lateral movement, so that in the event of a breach, the threat is easily contained and isolated.
2. Zero Trust Workloads
Securing workloads, particularly those who are running in the public cloud, is essential since these cloud assets (e.g., containers, functions, and VMs) are vulnerable and attractive targets to malicious actors.
3. Zero Trust Data
Zero Trust is all about protecting the data while it is shared continuously between workstations, mobile devices, application servers, databases, SaaS applications, and across the corporate and public networks.
4. Zero Trust People
Recent research from Check Point showed 81% of data breaches involved stolen credentials. It’s clear that usernames and passwords no longer prove the identity of a user. Identities are easily compromised, so control over your valuable assets must be strengthened.
5. Zero Trust Devices
With 70% of breaches involving compromised devices, every device connected to your network should be treated as a threat vector, whether it’s a workstation, a mobile, or an IoT/OT device. Security teams must be able to secure every device on their network and isolate the device if it’s compromised.
6. Visibility and Analytics
You can’t protect what you can’t see or understand. A Zero Trust Security model continually monitors, logs, correlates, and analyses every activity across your network.
7. Automation and Orchestration
A Zero Trust architecture must automatically integrate with the organisation’s broader IT environment to enable speed and agility, improved incident response, policy accuracy, and task delegations.
