In a previous post, our security expert Thomas Öberg wrote about the changing behaviour of users and how companies going into the cloud cannot be protected by high walls of traditional IT security. Threats to businesses are on the rise, and ID hijacking in particular. In the post, Thomas presented the new IT security strategy Zero Trust. In this post you can read about what Zero Trust actually is.
What is Zero Trust?
Zero Trust is not a product, it's a security strategy that takes a new approach to IT security. Instead of just building strong scale protection, it strengthens security around users with advanced technology where every login is considered unsafe until proven otherwise.
How does Zero Trust work?
Simply put: Trust no one, question everything.
A traditional security strategy leans towards high walls, i.e. things like firewalls, VPN connections and encrypted wifi. That's not good enough protection today with mobile workers and cloud computing. Threats have also changed to focus on ID hijacking.
With a traditional security solution, it is difficult to be sure who is logging in, is the account hijacked or not? But if you assume that all accounts are hijacked, all computers have viruses and all connections come from the darknet, you will create a strategy to deal with it.
What can a Zero Trust strategy look like?
A Zero Trust strategy contains a wide range of components. In simple terms, it can be described as a multi-layered process.
- User verification including multi-factor authentication, MFA, and role-based user rights.
- Is the device up to date, does it have virus protection?
- Verify access. What network is the user on? Which country? How is the user trying to access the data via the file manager or via an API?
- Verify the service the user wants to log in to. Is it an on-prem server with an old AS400 or a cloud service?
- Then there is the threat assessment and the protection value of the data.
All this generates signals that indicate whether the user can be trusted.
It sounds like an incredibly large task to set up, administer and monitor?
Both yes and no. IT security is something that requires resources and cannot be done left-handed, if you want a secure IT environment.
Yes: it's an incredibly comprehensive one. It is virtually impossible to manually set up and manage a Zero Trust-like environment in a traditional system.
No, with modern tools it's manageable: it's easier than you think. With the help of Artificial Intelligence and Machine Learning, which analyse all signals to find patterns, it becomes possible to manage a Zero Trust environment.
Is Zero Trust forcing companies to start from scratch with their security work?
No, good shell protection in the form of firewalls, virus protection and managed devices is still required. Zero Trust, as I said, is not a product you install, but an approach that leans on the security that exists and uses AI to ensure that users are who they say they are by using a variety of signals.
How does a company get started with Zero Trust?
Zero Trust will build on many of your existing security investments, so you've probably already made progress on your security journey. Phase in new security services when your organization is ready. For example, multi-factor authentication, MFA. If you turn it all on at once, it's going to be a pain. The smartest thing to do is to introduce new services in stages, starting with ID protection, which is the most important thing today.
How will it affect the employees, is it the end of working in a café?
Not at all. With Zero Trust implemented, it will be safer for the company but with some adjustments for the employees. Using MFA is not so annoying once you get used to it and you may not be able to access sensitive documents while sitting in Moscow airport. The inconvenience for employees has to be weighed against the risks. The options are to take very big risks or move everything back inside the wall.
Is it just honking and driving?
Remember that Zero Trust is a methodology and a strategy. You have to work on IT security all the time, even when everything is set up and working. New threats and new behaviours emerge all the time. Don't forget to train employees how to recognise threats like phishing and how to act safely online. Zero Trust is a way of thinking!
How far has your company come on its security journey? Is it time for you to embrace Zero Trust and move towards a modern security strategy? Read our guide on how IT security is changing or get in touch we'll tell you more about how you can work securely in the cloud.