Cybercrime reports have gone up over 300% in the last couple years. And a surprisingly large number of breaches happen with company employees involved, often because of mistakes like falling for phishing baits. Any insider in the company can potentially be a point of vulnerability that can expose the whole network. That’s why a Zero Trust model, which assumes potential breach through anyone (inside or out), is the strongest and best cybersecurity strategy today. But many people have some confusion about what Zero Trust really entails. Here’s a rundown of what a Zero Trust framework is made of, as well as a clarification of some things it’s not.
Zero Trust Principles
There are three guiding principles of Zero Trust that sum up its practice within an organization:
- Least-privilege access: Data should only be accessible by those who really to need to see it, and only when they need to.
- Explicit verification: Identity needs to be verified every time access is granted, based on every available data point.
- Assumed breach: A crucial shift in perspective in the Zero Trust framework is to assume that you have been or will soon be breached. This mentality puts you in a position of readiness to defend and respond.
For examples of how these principles can be implemented, see our article on Zero Trust through Azure AD.
Components of the Framework
There are particular areas you need to give attention to when setting up a Zero Trust policy. These are the vital components to consider in your security framework:
- End users: It’s important to know users’ business roles and the requirements that apply to them. Those working in different areas will have different requirements, and you’ll need to group them accordingly. Be clear about what access each group will need.
- Policy: This is a core part of your framework. Create an “acceptable use policy” that clearly defines what is allowed on company devices and what is not.
- Identity: Set up one centralized platform for Identity and Access Management (IAM) so users can securely verify credentials for the access that they need.
- Governance: Make sure to update your existing business governing processes to align with your new Zero Trust strategy. Setting up Multi-Factor Authentication (MFA) across all communication applications will give the organization a big security boost while supporting the new framework.
Misconceptions About Zero Trust
Through the years that this security model has been around, some varying thoughts about it have turned into Zero Trust myths and misconceptions. These are some of the misguided understandings surrounding it:
- Zero Trust is a solution product. Rather than a product you purchase, Zero Trust is a mentality and a framework. It’s a philosophy of “never trust, always verify.” There are various security products that can help you enact this philosophy, but they are not themselves Zero Trust. Regardless of what solutions you’re using, you need to continuously think through how you can best apply the framework’s principles.
- It means you have a lack of confidence in your employees. The stringent security outlook of this philosophy may make it seem like employers are suspicious of their employees or lack trust in them. But the mindset of Zero Trust has nothing to do with any particular employees and does not reflect their trustworthiness. Even unintentionally, every insider creates a vulnerability—no one is perfect. By applying the policy to everyone across the organization, you eliminate the need to try and figure out or judge who is vulnerable and who’s not.
- You have to rip and replace. Starting a Zero Trust framework can appear daunting if organizational leaders think they have to tear down what they have and start all over from scratch. But you can actually leverage existing solutions and technologies, adding tools if necessary. John Kindervag, who started the Zero Trust methodology, even states that deploying it one step at a time is best.
- Small organizations don’t need to implement it. While the strong cybersecurity measures of Zero Trust are crucial for big corporations, this does not mean that smaller companies don’t need it. About a third of data breaches in 2020 involved small businesses, and these smaller organizations are the biggest target of email phishing scams.
- Zero Trust isn’t meant for cloud environments. Many companies traditionally based trust on location: those within the walls of the organization could be trusted, whereas those outside them were potential threats. Clearly, that standard doesn’t apply anymore, since remote work has expanded those boundaries enormously. Zero Trust can be applied in any cloud environment, and it’s more important than ever to do so.
5 Steps to Deploy a Zero Trust Framework
Setting up Zero Trust can feel like a big task, so here’s a breakdown of the actions necessary to implement it. Tackling one step at a time makes it more manageable and ensures that you’re giving each one the attention it deserves.
- Define your most sensitive data. Start with the most confidential data in your organization and/or the application(s) and service(s) around it. Once your Zero Trust model is established, you can continually broaden the areas you’re protecting.
- Figure out your network’s traffic flows. Take a look at how traffic flows through your network so you understand well where your vulnerabilities lie.
- Develop your architecture. Once your prioritized data and traffic flows have been defined, you can build a custom plan made just for your particular organization.
- Design your policy. A helpful way to create your policy is to work with your gathered information and apply “5W1H” planning (also called the Kipling Method after one of Rudyard Kipling’s poems): ask Who, What, When, Where, Why, and How. Who needs access to what? When? Why?—and so on.
- Continuously monitor your network. Watching your traffic after policies have been made is an ongoing part of staying on guard.
Get Help Planning Your Strategy
If switching to a Zero Trust model still feels like a lot to you, you’re not alone. Let us know if we can help—it’s our mission to empower companies to build the strongest foundations for success and growth. And look out for our blog post next week on the return on investment you can get by adopting a Zero Trust framework.