A vast majority of the corporate world is now working at home in the wake of the COVID-19 pandemic. While companies face myriad challenges during this time, it is critical that C-level executives keep security top of mind.
The reason? COVID-19 has brought a dramatic change to the threat landscape: cyber criminals and nation-state groups are increasing their attacks — with no sign of slowing down. Organisations must adjust quickly to this new reality by finding a more secure way to protect their data and assets.
This may well be the time to consider a Zero Trust approach.
In Zero Trust for maximum security, I discuss how the Zero Trust model, conceived in 2010 by John Kindervag, then principal analyst at Forrester Research Inc., assumes that everything around a network asset is hostile. As a result, anything and everything trying to access that asset must be verified. This “deny all, allow some” least-privilege principle, even within a trusted environment, is extremely effective in reducing security incidents.
Getting started on this shift will require planning from both a technology and personnel perspective. Organisations considering a Zero Trust environment will need to change the way they design and build their applications and services; these organisations will also need to ensure that stakeholders understand the model’s benefits before making the move.
That said, once past these hurdles, companies will find a new level of security that will enhance business practices for many years to come — throughout a range of scenarios, including our current situation.
If your organisation has, in fact, made the decision to move forward with Zero Trust, here are four key steps to take in advance.
- Learn what access is required to which asset. This should be standard operating behavior in any environment — applied to all assets, including devices, services, accounts and data — but should be a particularly important factor in our current remote-working scenario. For example, a database server can only be accessed via a certain application with specific login credentials through specific network ports; documents stored on a file server can only be accessed by specific users from a specific location.
- Establish a unified digital identity-centric framework. The Zero Trust model requires that this unique framework be in place in order to perform the necessary verification of digital identities. This framework is crucial to granting access to verified users or entities, understanding the context of the access and determining the correct policy to apply to the requested access. The unified aspect of the framework is particularly important, as many organisations still run a fragmented identity framework in different parts of the business.
- Define a robust access policy. Even when a user or entity is verified after being properly authenticated, it does not mean that this person/entity will always have complete access to an asset. A strong Zero Trust environment enforces good policies to achieve the least-privilege outcome. In fact, if developed correctly, good policies can detect anomalous activities that indicate malicious behavior; this is precisely how Zero Trust helps to proactively reduce security incidents.
- Monitor and optimise all approved access and react quickly to unapproved access. In an effective Zero Trust environment, a security operations center (SOC) must continuously monitor all access, approved or otherwise, to ensure cyber defense. Any unapproved access indicates that an anomaly has occurred, and it will require the cyber security team to investigate to determine whether there is an active attempt to compromise the environment. For all approved access, it is important to verify that the organisation is constantly reviewing policies to ensure that access is always aligned to business requirements.
One final tip: Zero Trust should be implemented in phases rather than as a big bang. A phased approach allows for a manageable transformation from a legacy “trust but verify” operation to a “do not trust and verify” outcome without adversely disrupting other parts of the business. This final point is particularly important as, in our current reality, phased changes may be all that companies — and their mostly remote personnel — can accommodate at the moment.