Implementing a Zero-Trust Policy for Cybersecurity
Ever since John Kindervag introduced the concept of zero-trust in network security, businesses have been attempting to implement it into organizations as an active model for company security.
Current industry experts like John Fruehe (independent analyst) and Tony Velleca (CISO at UST Global) agree that zero-trust is a) being talked about more and more, b) going to be necessary for high-profile companies, and c) can be challenging to implement.
So with all the buzz around zero-trust, you might be wondering if your business should be concerned about your lack of zero-trust. Or, maybe you’re ready to implement a stricter security policy to prepare for network security advances.
It’s an interesting concept for sure and one that most businesses need to at least consider. Here’s what you need to know about zero-trust security:
What is a Zero-Trust Security Policy?
The zero-trust security policy is a type of security model that assumes the guilty-until-proven-innocent approach. This approach is common when it comes to governmental oversight and other kinds of regulations, but when it comes down to it, it can often be hard to implement.
With zero-trust, an organization assumes that threats exist outside of the network and within the network, even after a person or user has been clear and authenticated. Authentication is required to access resources, and identity-based policies have been developed to dictate which network entities can communicate with the concerned resource and under which conditions.
The least amount of access possible is granted to every user to limit threat opportunities (otherwise known as the principle of least privilege).
The best example of a zero-trust security architecture was illustrated by John Fruehe, who used the concept of post-9/11 airport security. After 9/11, American airports required personal identification to access the gate areas. Once passed security, passengers were able to roam somewhat freely.
At this point, this reflects many of the models implemented in IT security. However, zero-trust takes it one step further. Zero-trust would say that, within this example, passengers at the airport but behind security would still be untrustworthy and would need to have identification checked.
The airport might set up checkpoints throughout this clearance area because it (zero-trust) assumes that the initial security check was not good enough, and the passengers would need to continually provide proof that they are allowed to be there.
4 Benefits for Zero-Trust Policy
While there are several benefits of zero-trust, as espoused by Akamai, here are our top four benefits to implementing this policy:
1. Streamlined and Simplified Security Stack
Staying on top of the latest in cybercrime and continually adapting your security practices can be tedious, confusing to your employees, and problematic if changed too much. Therefore, zero-trust can be a clear policy for your employees to follow.
The security stack in legacy technology is highly complex as well. At each perimeter, hardware controls, security mechanisms, and application delivery and performance utilities must be performed at every stage. However, with zero-trust, you can offload access through a verified server to eliminate the need to repeat these stacks at every level.
2. Improved End-user Experience
Maintaining high security often requires a lot of work for the end-user. From keeping passwords updated and highly secure to regularly using authenticators, sometimes a secure network is not always a fun one to access. However, zero-trust can improve this experience by offering secure access, ease of use, and more productivity opportunities.
Users can use a single multi-factor authentication system to access all (if not several) of the system sections, therefore eliminating the need for them to also move through the repeating security stacks.
3. Improved Monitoring
Zero-trust is not a prevention strategy but a detection and response strategy. So while it cannot prevent a data breach, it can reduce the response time when a breach is detected. With zero-trust, you can better manage where the breach occurs and view your company’s traffic from a broader perspective.
Luckily, zero-trust can help segment your network systems, so hackers might only hack in and access one partition of your network, therefore slowing or inhibiting their movement drastically.
4. Further Protected Data
Protecting customer data is extremely important, especially due to GDPR and CCPA. Therefore, zero-trust strategies (in the very least) will add to your company’s customer data security policy.
Is Zero-Trust Feasible?
The idea behind zero-trust is straightforward; however, implementing it can be challenging. The biggest challenge associated with zero-trust is in housekeeping.
So while some experts encourage that every business adopts zero-trust, others suggest that there is no point because of the amount of work that goes into it. This can also be problematic for companies that end up collecting a lot of data. With policies like GDPR and CCPA now in place, data mishandling can be costly.
Therefore, companies are kind of left with two options: go all-in with zero-trust or do a more hands-off approach (and rely on third-parties as well).
If you decide to implement zero-trust, then you must also do so consistently, which means that many companies might be limited in this regard. Not all companies can dedicate the time, effort, and savings associated with zero-trust. So if you have it implemented in one area but not the other, then your network users might be perplexed.
Businesses, therefore, push back a lot on zero-trust because it slows down the operational process, and some businesses struggle with the amounts of controls. When considering applied zero-trust, there might need to be unique ways for each business to implement it so that their processes aren’t slowed down or impeded.
How to Implement a Zero-Trust Policy or at least Work Towards Zero-Trust
Businesses can implement zero-trust security strategies. These strategies alone allow for flexibility in how the end-user accesses applications, data, and company services. Therefore, one of the broader benefits of a zero-trust policy is the range and flexibility it offers.
If you can’t go fully zero-trust, you can consider implementing many strategies to improve company network security.
- Implementing some zero-trust strategies, like micro-segmentation
- Using the virtual machine for segmenting certain application access requirements
- Streamlining zero-trust into a single MFA app for ease of use
- Installing employee monitoring software to keep track of insider threats
So long as your policy isn’t creating broken security, then implementing a zero-trust policy is a step in the right direction for any size company.
By SoftActivity Team