Every company and every individual use various devices, most of which are connected to one network or another. It seems almost unimaginable for us not to be connected to the internet. When is the last time someone had their smartphone on airplane mode? Unless we are in the actual aeroplane, I doubt we could remember actively taking ourselves offline.
Our work environments are rapidly moving towards Cloud computing. We still use on-prem services - there is something still being saved on local hard drives, but that era is slowly passing away. The world is moving towards the cloud environment; streaming is the way forward and devices are increasingly becoming network dependent.
This is the scene of a fast and yet quite comfortable pace of tech development in the world of the IT.
A sudden jolt rippled across all industries of the world in January 2020: the events of the Corona Virus pandemic. Claiming thousands of lives the wave of deadly virus caused lockdowns and consequently people were locked out of their places of work. Organisations had no choice but to adapt. That is when the IT departments really felt the strain providing systems which would enable people to work from home. The events of devastating pandemic only highlighted the issue: traditional perimeter-based security models with firewalls were no longer effective.
We Need a New Strategy...
What is the significance of that in the context of a Zero Trust Company Maturity Scheme?
With vast amounts of people suddenly working from home, a new security approach is required, and this is when the Zero Trust Security Methodology comes in. Zero Trust is non-perimeter-based, and it rests on 3 assumptions which are as follows:
- Never Trust Always Verify - The system needs to make sure that it's really you who is logging in, so the user is not trusted by default. The applications, workloads and data are also treated the same way.
- Least Privilege Access - As little amount of privilege is given to the user - just enough to get their job done. If the identity is compromised, then the hacker is restricted to those minimal privileges and lateral movement across the network becomes significantly more challenging.
- Assume Breach - Assume that the attack has already happened. It is a "what then?" scenario. A combination of scrutinizing of users, their patterns of behaviour as well as other anomalies form this point. In a way it is a digital vigilance.
The below video explains the Zero Trust Model in greater detail:
The key here is that this is not an “all or nothing” solution. There is an appreciation that companies are on a journey and this methodology will allow for a gradual implementation, providing the security to small test groups first then moving onto the most critical company assets before gradually taking on more areas of the company under its wing.
Now that people are accessing corporate resources from everywhere users themselves become perimeters.
How Could Zero Trust Affect Companies?
The answer to this very much depends on where the company sits in its maturity to Zero Trust.
Lack of solid IT (as well as security) strategy is almost akin to running a business without a plan. This a cause for shadow IT to proliferate amidst colleagues - through absence of coherent IT planning workers could be coming up with their own workflows which could consequently open opportunities for hackers' attacks and, of course, if it is a business with a small IT department, its admins are constantly having to deal with security-related issues cropping up.
It is important to be aware of the level of Zero Trust maturity that the companies are on at this present moment. This model is introduced to us by Microsoft. It is made of three stages, which are:
This stage is where most companies are at currently. No Zero Trust has been implemented. Those are companies with on-premises Identities and static rules. The key here is that visibility into device compliance and logins could very limited. The network infrastructure is flat. Because of limited visibility and control this leaves the network as well as the identities open to hackers' attack.
Zero Trust is being implemented in key areas but is not to its full capacity and to a full scale. The main feature of this stage is that the organisation realises the need for this security approach. Those companies would have hybrid identity and have well put together policies which filter access to data, apps, and network. We also see introduction of network segmentation for better control and better visibility. And finally, analytics. This is the most exciting part: analytics are used to assess user’s behaviours, identify anomalous activity, and identify threats proactively.
Here we see more in-depth implementation of Zero Trust focusing on real-time analytics, dynamic gate access to apps and data. All data sharing is accompanied by secure encryption and tracking. Trust is removed by default and network is micro-segmented. Finally, automatic threat detection and response is implemented.
What would it mean to the user who may be oblivious to the methodology? Mostly the configurations and analytics stay on the back end and things simply become smoother. It is only password-less authentication that the end user would notice. In many ways it will even be a relief for many people out there who have a plethora of passwords to remember.
The question is, where are you on this model? What does your business look like from security standpoint?
Cyber security is the next step in evolution of security overall. The company is less and less associated with the building, the physical premises, and physical offices. More companies are forming with no dedicated workplace but homes of workers themselves so the next steps in securing the assets are not doors and walls, locks, and buildings but the security of data, security of workflows and communication associated with it.
These are exciting times, the times which promote innovation and growth. Zero Trust is here to assist with that and ultimately make work better and safer.