Zero Trust, Zero Worries!

For years cybersecurity practitioners have been talking about “Zero Trust”. Every vendor in the market is ready with its own strategy, services, and products to facilitate achieving Zero Trust. It has become one of the most utilized buzzwords in the industry these days. Nevertheless, what I notice in speaking with security teams across our region is that there are still doubts on – what Zero Trust is, how to achieve it, what value it brings, is it mandatory or recommended, and what are consequences of implementation? In our article, we will try to solve these mysteries.

So, what is Zero Trust?

The traditional method of achieving cybersecurity is very similar to medieval castles which were very difficult to penetrate from outside. A system made up of tall walls, towers, and moats used to protect people from intruders. If you are inside of the walls, it is automatically assumed that you are trusted, and that you should be there.

If we take in consideration that the global average cost of data breach is around USD 3 million, very quickly we come to the realization that assuming that everything inside of organization’s network should be implicitly trusted would inevitably lead to a very costly data breach. Another challenge in the castle and moat approach begins at the moment when you need to protect assets outside of the walls.

Today, in the modern world, information is often distributed across multiple clouds, data centers and offices, so making it impossible to have a single security control for the entire environment. Needless to say, a new model had to be invented – a model that will minimize the possibility of having a malicious threat actor inside of the organization, moving laterally in an attempt to exfiltrate the data. This new model also had to support complexity of the modern environment, adopting the hybrid workplace, and protecting people, devices, applications, and data wherever they’re located. Zero Trust was hence born.

Zero Trust is a cybersecurity strategy or a framework that introduces an idea that everyone and everything is hostile, and to secure the organization, implicit trust must be eliminated and the doctrine of continuous validation of every stage of a digital interaction must be enforced. In simple words, Zero Trust introduces the principle by which all users, whether in or outside the organization network, must be authenticated, authorized and continuously validated for security configuration and posture before being granted or keeping access to applications and data.

What benefits does Zero Trust bring?

Fine-tuned Zero Trust architecture will help the organization in achieving:

Where do we start?

• More resilient network infrastructure
• Micro-segmentation, identification, and the containment of lateral movement
• Enhanced prevention capabilities against data breaches
• Comprehensive insights into users, devices, components, and workloads distributed across the environment
• Limitation of the ‘blast radius’ once the incident happens
• Better user experience
• Support in attaining the compliance goals

I like to believe that Zero Trust is a utopia (as per Google “an imagined place or state of things in which everything is perfect”). We should all start the journey, but with the understanding that the journey will never end. It is not a technology or a solution that should be implemented, it is a principle of continuous improvement that will be embedded into IT/Sec as well as business processes from now on and into the future. To adopt this model, organizations will have to fundamentally change, and these changes are not easy and are not fast. We should also accept the fact that, as with everything in cybersecurity, no “one size fits all” approach to Zero Trust exists.

1. Identification and prioritization of data -It’s key to end up in a state where the organization understands where the data is and who is having access to it. Experience has shown us that utilizing several cloud platforms makes it difficult to identify data, however, it makes identifying who has access to it easier than identifying the same in traditional data centers.
2. Enforce control over who accesses data – users, devices, applications, external processes, etc. This step, depending on the company’s appetite will lead to identification of appropriate technology and implementation of NAC, IDAM, micro segmentation technologies, ZTNA, app whitelisting technologies, API gateways etc, of course always followed with the supporting policies and procedures.
3. Continuous validation and monitoring of implemented measures and activities – Although many organizations in our region have already implemented technologies which will help them to baseline and track activities related to network / data access and sharing based on behavior, due to the chronical shortage of cybersecurity resources, most organizations are having challenges in this step. This is the reason why we, in Help AG, are seeing an increase in demand for managed security services, gap assessments, cloud assessments, architectural review exercises, VAPT initiatives and services.

I understand that above mentioned steps could sound frightening, but do not forget “A journey of a thousand miles begins with a single step”. New application is being built? Let us focus on which data will be processed, how to protect it and from whom. It’s important to recognize that a Zero Trust architecture supports the security solution. Technologies and processes are layered on top of the strategy, not the other way around. Next time when you are changing your end point protection, start thinking on what additional functionalities can be added to align with your Zero Trust strategy. New WAF in DMZ? Excellent, can we position the same in DC so both external and internal user traffic will be validated?

If you are considering starting your Zero Trust journey, would like to learn more about it and how it can be implemented inside of your organization, or have a unique challenge that requires brainstorming, we have a team of experts with diverse skill sets as well as the right solutions to solve every problem.