What is Zero Trust?
Imagine your network is like a house. There’s a lock on the front door, and only specific people have the key to get in, but once inside those people have access to every room. The locked door is the corporate firewall, once perceived as the main security boundary and what users relied on to ‘do’ their cyber security for them.
This works to an extent, especially when you don’t need to let many people into your network. But as we become more and more reliant on technology in our work, the number of people trying to get access increases. And remember, it’s not just you, but everyone else on the network who can let people in. To continue the metaphor, you and your housemates are opening the door to increasing numbers of people, and once they’re in, all of them can go into your bedroom.
With Zero Trust, not only is the front door locked, but every door in the house. This means that even if a hacker gets unauthorised access to one part of the network, they can’t access the rest. It also means that you aren’t so reliant on other people to keep your information secure, even if one of your colleagues is click-happy when opening suspicious emails.
Why would I use Zero Trust Security?
Currently, the default for most networks is to share information as freely as possible. That is, after all, their purpose. But this freedom makes networks less secure, and therefore it’s easier for malicious actors to harm your business. Zero Trust flips this on its head, and means that every time somethings happens on the network, it needs to be justified.
What does this mean for users?
At first glance, Zero Trust might sound like a huge inconvenience for users – continuously needing to re-enter passwords or similar. However, the bulk of Zero Trust happens behind the scenes, with information like your machine, location and other system-based information being used to certify your identity. Some user input will be required, with tools like two factor authentication also playing a role.
How would I implement Zero Trust?
Configuring a network for Zero Trust is only a small part of the challenge; most of the methods use existing technology.
A more difficult question is identifying what activity should be trusted. Should someone in your sales team be able to access all of your financials? Does anyone in manufacturing need access to your CRM? You should be able to identify all of the trusted activity on your network.
From there, you also need to think about identification. The Finance team can access the financials, but how do I know this request is from someone in Finance? This might include linking staff members to particular machines, two factor authentication methods, or finding other ways to identify users.
Is there an easier way?
Flipping how you manage your network on its head is a big project, but thankfully it doesn’t all need to be done at once. You could start small, identifying connections that aren’t needed and restricting or preventing them (no, chances are no one in manufacturing needs access to the CRM). You can approach this on a department basis, an information basis, or however you’d like. Remember, every piece of unnecessary network activity you prevent makes it that much safer, even if it takes you a while to get to a full Zero Trust position.
Do I need Zero Trust Security?
Zero Trust isn’t a particular piece of software or service, it’s more a way of thinking about how users access and communicate through your network. So in that sense, adopting a Zero Trust ‘posture’ is never a bad idea. However, implementation will vary from business to business, so if you want to talk to an MSP that puts cyber security first, email us on firstname.lastname@example.org and let us help you become more secure.