fbpx

Book a Call

A castle with a moat accurately represents a more traditional approach to network security

What is Zero Trust Architecture?

Zero Trust Architecture (ZTA) is a security concept and framework that assumes no entity inside or outside the network should be automatically trusted. It is based on the principle “never trust, always verify.”

Traditional network security followed a model that somewhat resembles a moated castle. Once inside the permitter – whether a moat or a firewall – the network resources are open to all. The Zero Trust approach to network security significantly contrasts with these traditional network security models.

The Zero Trust model requires strict identity verification for every person and device trying to access any resources on a company data network, regardless of whether they are within or outside of any network perimeter.

Is Zero Trust New?

No, but the COVID lockdowns pushed the adoption of Zero Trust Architecture. Once team members were working off-site, access to many business networks had to be delivered remotely. Hard firewalls and physical barriers were no longer workable.

The move of so much business software to SAAS (Software as a Service) and cloud data storage has also accelerated the process. Many software applications will not work at all if they are not, at least, verified online.

Some firms may find they have moved to something resembling Zero Trust Architecture without realising it.

Features of ZTA

Least Privilege Access

Regardless of your security model, least Privilege Access is a solid principle. Is it good practice to grant users and devices the minimum level of access – or permissions – they need to perform their tasks. A system where many permissions are granted is, by definition, less secure. Fewer permissions are easier to manage and monitor.

Microsegmentation

Microsegmentation divides the network into small, secure zones. To some degree, this has always been required. For example, only a very poorly run company network would make HR files and company finance documentation available to the company as a whole.

Microsegmentation allows for more granular security controls over each zone and limits lateral movement by attackers within the network.

Multi-Factor Authentication (MFA)

By now, almost everyone should be familiar with MFA. Logins protected by MFA require more than one piece of evidence to authenticate a user; this could be something they know (password), something they have (a smartphone), or something they are (biometric verification).

Continuous Monitoring and Validation

Continuously monitoring the network and validating the security posture of devices and users ensures that any malicious activity is quickly detected and responded to. A software solution is normally best for completing this task.

Security Policies and Enforcement

Implementing comprehensive security policies that are strictly enforced can help maintain the integrity of the Zero Trust Architecture. This includes written policies for access control, data protection and threat response.

Identity and Access Management (IAM)

Central to Zero Trust is ensuring that only authenticated and authorised users and devices can access applications and data. This involves managing identities and permissions tightly. We still occasionally find our clients using a single password company-wide, but fortunately, this is becoming a rarity.

Are There Any Downsides?

There are costs. Organisations implementing zero trust architectures must typically rely on advanced technologies such as cloud security, identity and access management solutions. Adopting validation practices at every point of access can be cumbersome for employees.

Zero Trust is meaningless without more traditional security practices such as monitoring user permissions and accounts, auditing permissions and the like. Investment and automation can lead to a false sense of security.

Despite these downsides, the benefits of Zero Trust in enhancing an organisation’s security policy are concrete. But, as always, any security policy needs to be built from clear principles and implemented in a thorough, thoughtful fashion.