With alarm bells ringing globally over the rising threa […]
With alarm bells ringing globally over the rising threat from malicious actors, many stemming from the war in Ukraine, adopting a security posture based on zero trust has gained a new urgency.
The zero-trust model is designed to reduce risk exposure by eliminating the unnecessary access and privileges across critical IT systems, thus creating a more "locked down" infrastructure.
Zero-trust policy hinges on enforcing least-privileged access and ensuring users do not have more permissions than are needed to complete their job.
To implement zero-trust successfully, IT security leaders must understand what the critical resources in their environment are -- from applications and networks to storage and devices -- as well as who can access them.
Enforcement of Zero Trust
Effective access control becomes a key consideration in the enforcement of zero trust.
Timur Kovalev, chief technology officer at Untangle, a provider of network security for SMBs, explains even before the war in Ukraine, hybrid work and the growing number of cybersecurity risks had companies moving to zero-trust strategies.
“Now with the possibility of more Russian cyberattacks, zero-trust makes sense for companies wanting to protect their digital environments,” he says. “The key principle is that instead of first making services available and then locking down access to those services, no access is granted at all unless it is specifically and deliberately given.”
At its core, zero trust uses micro-segmentation to break up security perimeters into small zones to create separate access points for separate parts of the network.
While access may be granted to one zone, access to other zones requires separate authorization. Policies are often set to give users the least amount of access needed to complete a task.
SecZetta’s chief product officer Richard Bird says the first step for IT security leaders is simply being intellectually honest.
“Companies and organizations need to honestly confront the fact that their current security strategies are not working,” he says. “They have a massive number of unknowns within their systems -- unknown activities, unknown identities, unknown accesses.”
Eliminate the Unknowns
The next step every security leader needs to embrace on their zero-trust journey is to eliminate the unknowns within their systems and processes.
“IT leaders need to truly lead in times like these by vigorously questioning the effectiveness of their current security framework and architecture,” Bird says.
Zero-trust employs other security measures such as adding two-factor authentication, identity, and access management (IAM), and other verification methods, or by using an identity provider so that all authentication and authorization is centrally managed.
Kovalev says IT security leaders need to understand zero-trust isn’t a platform or device, but an initiative to protect digital environments based on the key principle based on locking down access.
“For a company looking to set up a zero-trust solution, leaders should be aware that zero-trust doesn’t require a completely new type of infrastructure with a costly brand-new solution,” he says. “It’s feasible to build on the investments that companies have already made.”
Bird adds that IT leaders can express the benefits of zero-trust by being forthright with their business peers and their boards by explained that maintaining the security status quo is a strategy of hope and luck, and that it is time to try something different.
“Something different doesn’t require spending a ton of money on new technologies,” he says. “Zero-trust simply requires you to re-think how you apply security controls in a way that eliminates the pervasive and persistent trust that they extend through system access.”