Understanding Zero Trust Architecture

Now more than ever, employees and users have more control over the applications they use. And with more data and applications no longer behind the firewall, as well an increased ability for users to connect freely, and directly to work applications over the internet using personal owned devices, the need for Zero Trust Architecture is growing at pace.

Despite the term entering the security lexicon relatively recently, the concept itself has been around for nearly two decades. But with a lot of misinterpretation arising post pandemic through vendors being quick off the mark to use it for their own marketing gain, we felt it imperative to firstly define what Zero Trust is, as well as what Zero Trust isn’t. This week’s insight investigates. 

What is Zero Trust?

Today, Zero Trust is a leading security model poised to evolve further in the years to come. Its name follows the maxim “never trust,” always verify.”The name is based on the “default deny” posture for everyone and everything (enter: “zero trust”).

Zero Trust is therefore, a strategic solution to a cybersecurity problem, ensuring that your SMART Building and entire OT system is secure through the elimination implicit trust and the requirement to continuously validate every stage of a digital interaction.

The concept of Zero Trust has been around for many years but has gained a great deal of hype in response to the changing landscape, and needs of our post pandemic world. Increasing the need to secure more remote and hybrid workers than ever before. It has also been designed based on the realisation that traditional security models operate on the outdated assumption that “inside the building / network must mean trusted” and “outside means untrusted”. This implicit and quite frankly, naive view means that once on the network, users – including threat actors and malicious insiders – are free to move laterally and access or exfiltrate sensitive data due to a lack of granular security controls.

With digital transformation accelerating in the form of a growing hybrid workforce, continued migration to the cloud, and the transformation of security operations, Zero Trust is crucial when it comes to the protection of modern environments. It enables digital transformation by using strong authentication methods, leveraging network segmentation, preventing lateral movement, providing robust threat prevention, and simplifying granular, “least access” policies.

If done correctly, a Zero Trust architecture results in higher overall levels of security for your SMART Building, but also in reduced security complexity and operational overhead. So, it’s a real win-win.

How does it work?

This security approach treats every access attempt as if it originates from an untrusted network — so access won’t be allowed until trust is demonstrated.

Once users and devices have been deemed trustworthy, zero trust ensures that they have access only to the resources they absolutely need, to prevent any unauthorized lateral movement through an environment. Adoption of zero trust can help address common security challenges in the workforce, such as phishing, malware, credential theft, remote access, and device security (BYOD).

This is done by securing the three primary factors that make up the workforce: users, their devices, and the applications they access.

What is Zero Trust NOT?

Zero Trust is often misunderstood because it is being misused as a marketing term. Vendors are applying the term to market everything in security, creating significant confusion which needs to be abolished. Most notably, it’s important to state that Zero Trust is NOT simply a product. It’s an approach. Zero Trust is far more than user identity, segmentation, and secure access. It’s a strategy upon which to build an entire cybersecure OT system.

Why adopt a Zero Trust security model?

Today’s cloud environments can be attractive targets for cybercriminals aiming to steal, destroy, or ransom business-critical and sensitive data, such as personally identifiable information (PII), intellectual property (IP), and financial information.
While no security strategy is perfect and data breaches will never be totally eliminated, zero trust is among today’s most effective strategies. Zero Trust reduces the attack surface and mitigates the impact and severity of cyber-attacks, reducing the time and cost of responding to and cleaning up after a breach.

Implementing Zero Trust within the workplace

Typically, there are five phases for successfully implementing Zero Trust in the workplace. This comprises a business’ users, their devices and the process in which they go about accessing applications. The steps are as follows:

  1. Establish User Trust
  2. Device & Activity Usability
  3. Device Trust
  4. Adaptive Policies
  5. Completion of Zero Trust in the Workplace

Begin with a specific set of people, expand coverage for their applications, and expand coverage for their devices. Once the requirement to always verify trust is achieved within this well-defined scope, apply a set of reasonable policies to enforce trust and protect the organization. Finally, integrate this scope with the broader organization’s IT and security functions and shift to a mindset and practice of continuous improvement. This is a continual strategy and commitment to work on.

No single technology currently provides a full Zero Trust design and implementation. Businesses must look for a combination of tools and services to provide the full degree of necessary coverage. For most, a hybrid approach of both Zero Trust and existing infrastructure will need to coexist for some time. In this case, emphasis should be placed on the common components and control categories that could suitably enable both, such as identity and access management through directory service integration, endpoint security and policy enforcement, and network monitoring and traffic inspection.

As Zero Trust frameworks mature and evolve, so will standards and platform interoperability, likely facilitating more streamlined and effective approaches overall.

If you’d like more advice on how to design and implement a Zero Trust architecture within your SMART Building and connected workplace, then please contact us.

Feel free to share...