Zero Trust: How can you effectively manage your security posture?

20 August 2022

Photo by FLY:D on Unsplash

Zero Trust is a security framework built on the principle of “never trust, always verify”; a significant departure from traditional network security which followed the “trust but verify” method. Zero Trust approach requires that implicit trust is eliminated, and continuous verification is undertaken across every stage of a digital interaction. Implicit trust means that a user (including threat actors) can move laterally and access or exfiltrate data when they are within the network perimeter as there are no granular security controls.

Considering the growth of hybrid working, Bring Your own Devices (BYOD), continuous cloud migrations and the increasing attacks on identity, implementing a Zero Trust approach to secure your IT environment is critical. Zero Trust should not be thought of as a single architecture but an approach that takes a holistic view of how the cyber security ecosystem is implemented. At its core, Zero Trust is based on the following principles:

  • Verify explicitly: Always authenticate and authorise access for all resources.

  • Employ least privilege access: Access should also be granted with the least privileges needed to fulfil the required action.

  • Limit the blast radius: assume breach, continuously evaluate the security posture of your IT estate, apply patches / fixes as required and implement robust monitoring and reporting.

To get the benefits of Zero Trust, it is important to consider how Zero Trust controls and technologies can be implemented across the entire IT landscape covering:

  1. Identify and Users (e.g. employ strong authentication; use least privilege access)

  2. Endpoints (e.g. monitor device health and compliance; enable conditional access on devices)

  3. Applications (e.g. protect sensitive data within apps; monitor shadow IT)

  4. Data (e.g. classify, label and encrypt data)

  5. Infrastructure (e.g. real-time threat monitoring and detection)

  6. Networks (e.g. network segmentation; encrypt all traffic)

To successfully implement Zero Trust, organisations should consider:

  • Designing a Zero Trust architecture that takes a holistic view of the IT landscape

  • Conducting a current state assessment in relation to your Zero Trust target state

  • Developing a multiyear roadmap outlining the path to reach your target state

  • Implementing your Zero Trust roadmap

Zero Trust is an ongoing journey and requires continuous measurement of the progress of your Zero Trust implementation.

Header photo by Robynne Hu on Unsplash