Zero-trust is all the rage these days – and with good reason. And no, I’m not talking about the zero-trust you have for the telemarketer calling with that extended car warranty that you absolutely must have. I’m talking about zero-trust in terms of cybersecurity. It’s a shift in security philosophy that requires more in-depth tactics to prevent a security breach.
It’s tough not to think about cybersecurity these days. It seems like we see a headline every day about another company – surely with a considerable IT investment – that got hacked. The average number of weekly cyberattacks per organization are rising by more than double year over year in the U.S.
Average weekly cyberattacks per organization
So how does zero-trust change the cybersecurity game?
The traditional approach has been one that guards the perimeter of an IT environment and has a “trust but verify” philosophy. That means that a user will be authenticated at the perimeter and once they’re inside the network, they are trusted. Think of it like a castle with a moat around it. The castle is your company’s network – complete with all the streets, courtyards, kitchen, armory, throne room, and treasury. The only way to get into the castle is to cross over the moat via the drawbridge. “Trust but verify” would have users approaching the drawbridge, the guards would ask for identification, and once the user is identified, they enter the castle walls. Then they are in. They can access basically whatever they need to inside the castle.
Zero trust takes this approach a step further, and is all about “trust nothing, verify everything.” In this philosophy, the guards are constantly watching the user once they are admitted to the castle to ensure they are 1) still who they say they are and 2) they are accessing what they should be accessing. For example, you may have a user entering the castle, and they should have access to the kitchen because they are the cook. But they shouldn’t have access to the treasury, the armory, or many other rooms. Whereas the knight will have access to the armory, but not the kitchen, the throne room, etc. The treasury may only be accessed by very few people in the kingdom – maybe the King, Queen, and a couple of senior advisors. And just because a user has donned a helmet and some armor, we aren’t going to just assume there’s a knight in front of us!
Zero-trust is basically a no assumptions policy. No part of a company’s IT system should assume that any other part – be it software or a user – is what or who they say they are. And it assumes that everything may have already been compromised by a hacker. It’s a containment approach that you can also think of as… dare I use a COVID reference… isolation to mitigate risk. To use another analogy, let’s say you’re invited to a party. Zero-trust would assume that you have a virus. We would confirm that you don’t and only then would allow you to accept an invitation to our party. The day you show up at our door for the party, we would again verify you didn’t have the virus before we let you into the house.
Adopting a zero-trust approach means changing many layers of security. Some common zero-trust tactics we use are:
- Multifactor authentication for company accounts
- Giving users access only to systems and data that they need for their roles
- Ensuring sensitive data is stored in a place where it can be strictly secured rather than scattered throughout multiple databases
- Rotating credentials that allow people and computers to access other systems which requires users to log back into company systems more often
- Behavioral analysis software that monitors activity and flags anything unusual – such as your credit card pausing a transaction in a new city until you approve it
To get started, the key thing to think about with zero-trust, is to identify what’s most valuable or most sensitive to your company. To go back to the castle analogy, what is your equivalent of your treasury, kitchen, or armory? What do you need for your company to continue to operate effectively? How do you first ensure that these assets are secured with a zero-trust approach.
Keep in mind that zero-trust is a philosophy – it’s not a one-size-fits-all set of tactics. Implementing zero-trust will be different for every organization because it’s based on each organizations’ unique needs. If anyone is trying to sell you zero-trust as a one-off project or a set of concrete deliverables before they completely understand your business, please be skeptical. To successfully implement a zero-trust approach, it must be done thoughtfully and incrementally to ensure there is no business disruption. It requires collaboration with the organization’s leadership with an IT partner that has a CIO-level strategic advisor and a team that understands the full complexity of an IT environment.
If you would like to discuss your company’s security approach, we are happy to chat. We also have a quick, complimentary security assessment we can talk through so you can understand the general baseline of your environment.
Modern businesses rely on automation every day. Here are three of our favorite tools for helping our clients automate tasks and be more productive.
IT is no longer for geeks only! It's important for business leaders to understand the elements of IT that can make or break a business. IT is not only about internet connectivity, computer networks, and servers… it does include those things, but there are important strategic considerations to make as a business as well.