A 2018 study conducted by Forrester found that organisations that adopt a Zero Trust Security approach are twice as confident to accelerate new business initiatives and customer experiences.
Zero Trust Security assumes that untrusted parties already exist both inside and outside an organisation’s network. In other words, not all staff and contractors might be trusted, and/or the organisation’s network or systems may already have been breached. Trust must therefore be entirely removed from the equation.
According to Forrester’s study, 58% of organisations have experienced a breach in the past 12 months. According to the study, “Security leaders are urgently scrambling to defend every entry point, but traditional approaches to security, based on keeping out the ‘bad guys,’ while letting in the good guys, have proven ineffective.” In response, many security specialists are advising Zero Trust approaches that remove trust from the equation completely; moving away from the traditional “trust but verify” approach and replacing it with a “never trust, always verify” philosophy.
The different layers of Zero Trust
Zero Trust covers an entire organisation, including:
* People: Everyone who interacts with the organisation (including vendors, contractors, and IT service accounts) is given an identity and conditional access rights. “Conditional access rights” means continuous assessment of context and activity such that if an action seems anomalous, additional authorisation or monitoring is applied.
* Devices: All endpoints are secured, with changes and updates made as they occur to avoid security gaps.
* Applications: Most contemporary organisations use multi-cloud environment, using a host of internal and external interconnected applications. Zero Trust provides visibility into the dependencies within and among all applications and databases and uses automation (such as AI) to identify anomalies in real-time. Security rules are enforced at all times, even if the applications themselves lack adequate protection. In this way, Zero Trust removes the burden of compliance from employees, devices, and applications and places it on the central Zero Trust control system.
* Data: With Zero Trust, almost all data is encrypted. This protects against compromise if it ever ends up in the wrong hands.
Technical aspects of Zero Trust
Zero Trust enforces multiple layers of technical security controls, including:
* Verifying the identity of each user through a combination of identity governance, single sign-on, and multi-factor authentication to reduce the risk of credential compromise.
* Validating every device with mobile device management to enforce secure, with local administrator privilege management to reduce local admin compromise, and with device identity management to ensure that only trusted devices are allowed to access organisational data and systems.
* Limiting access and privilege using privileged access management to ensure a user has the least amount of privilege required to perform their job.
* Continually learning and improving using AI, behaviour-based analytics and privileged access auditing/monitoring to automatically improve and adapt security restrictions.