The surge of cyberattacks in 2020 has highlighted what many already know — that keeping networks secure is tough at the best of times, but near impossible during a pandemic. Many are now implementing a zero-trust security model, which is thought to overcome many of the issues with traditional approaches. In fact, 34% of IT security teams report that they are in the process of implementing a zero-trust model. So, what is zero-trust, and why do so many think it’s the way forward to keep information and networks safe?
What exactly is the zero-trust approach?
It’s commonly said that human beings are the weak link in any cybersecurity system. Typically, up to 40% of people fall victim to a cyberattack, but only an estimated 3-5% of people report real cyberattacks. Traditionally, cybersecurity training has been emphasised as the answer. However, most training focuses on increasing awareness of potential threats, which is both cognitively draining and requires frequent retraining as hackers adapt their strategies. At worst, it causes a constant state of anxiety about being blamed for a breach. More recently, it’s been rightly pointed out that any system that can be taken over by one person clicking a dodging phishing email, probably isn’t a very good system.
Traditional cybersecurity is based on the castle-and-moat system, whereby it’s tough to breach the castle, but everyone inside is trusted by default. As a consequence, once a breach occurs, the attacker is free to do as they wish. In contrast, a zero-trust approach means that verification is required whenever any user or machine — even those already inside the network perimeter — tries to access information and services.
What are the core elements of zero trust?
Implementing least privilege: this element of zero trust means only giving users the minimum necessary access to perform essential tasks. This limits the number of users that can grant/configure new permissions, making it more difficult for attacks to reach more sensitive parts of the network. Amazon Web Services, Azure and Google Cloud all recognise least privileges as a core element of cybersecurity best practice.
Microsegmentation: breaking up a system into smaller, self-contained segments prevents lateral movement across the whole network. Each segment should have its own security perimeter and list of permissions, so that a user cannot access it without separate verification. Industry professionals often refer to this as controlling the ‘blast radius’ of an attack, so that the damage is limited to the breached segment.
Multi-factor authentication: an authentication method that requires more than one piece of evidence across multiple categories. For example, a multi-factor authentication might require something you know (such as a password) plus something you have (like a smartcard) or something you are (biometric information such as a fingerprint). Withdrawing money from a cash point is an everyday example of this, as it requires a debit card (something you have) and a PIN (something you know).
The advantages of zero trust
The most obvious advantage of zero-trust is in reducing your vulnerability to a large scale cyberattack. Attacks are inevitable but having measures in place that don’t rely on constant employee vigilance helps to manage this risk. Zero-trust also provides information about what constitutes normal daily traffic on any given device, meaning that breaches can be quickly detected and contained. In addition, while zero-trust might take effort and investment in the short term, it reduces long-term costs as fewer professionals are needed to monitor, manage and update security controls. Finally, zer- trust enables a positive user experience. Rather than trying to remember a long list of complicated passwords, employees are given secure access to what they need, letting them get on with their own work.
Zero-trust is quickly becoming the go-to approach to improve cybersecurity. 2020 has highlighted significant problems with the traditional network perimeter approach and given the alarming costs of a cyberattack to an organisation, the short-term investment in establishing zero-trust looks to be worthwhile.