Trust is an almost priceless thing these days. Organizations large and small are scrambling to stay ahead of emerging threats as well as new regulatory measures designed to keep hackers at bay.

According to a report by Gemalto, more than 290 digital records were compromised every second of every day in the first half of 2018 alone.

If you’re a business owner, or are just interested in technology and cybersecurity, you may have heard of zero trust security. It’s become an important plank in any organization’s plan to protect data and keep people safe. What is it, and why should you start using it right now?

The fundamentals of zero trust

It
may sound deceptively simple at first, but a basic description of zero trust
security goes something like this: It’s a security model for information
technology (IT) that requires airtight identity verification for every
participant in a private network before each connection attempt.

Zero
trust makes no
distinction between
a client outside or inside the perimeter of the network. Everybody
must demonstrate trustworthiness — that they are who they claim to be — before
they are granted access.

Zero
trust doesn’t rely on any one technology — it requires a combination of several
best practices plus the right hardware and software.

More
familiar IT security models resembled “castles” and “moats.” That made it
tricky for bad actors outside the network to find their way inside, but it
meant giving a pass to clients already within the system. It made the dangerous
assumption that if somebody made it that far in the first place, they’re
probably supposed to be there.

READ  Sophos to demo cloud security and EDR offerings at GITEX - Tahawul Tech

However,
the castle-and-moat approach also means that once a bad actor obtains access,
they have nearly free reign over the network. The problem gets even harder to
manage when you consider the mix of cloud vendors and other locations housing
modern business data. Multiple repositories make it difficult to apply a single
security policy.

The
bottom line for zero trust is that it acknowledges that modern security threats
can come from inside or outside an organization and facility. It’s a reversal
of the “trust but verify” model. It becomes, “verify first, trust second.”

What best practices and technology does zero trust require?

There
are several best practices that an organization must commit to before it starts
talking about specific technologies or vendors. They are:

  • No attempt at network connectivity may be granted automatic trust, be
    it automated machine access or a human user. Trust is earned, every time.
  • Organizations must implement “least-privilege access.” This requires
    organizations to issue credentials that unlock only the databases and
    functionality that each employee needs to perform their functions, and prevents
    access to any others.
  • A company or organization must know which devices are connected to its
    network and when, so it can accurately appraise the current threat surface.
    That means implementing strict controls on whether personal devices may be used
    for work purposes and which security protocols must be put in place.

Organizations
that want to apply a blanket of security across their applications and web
properties have several vendors and features to choose from.

The technologies that power zero trust security

Before they go window shopping for a zero trust security solution, companies and organizations must think about which features they’ll need today and which ones they might need as they grow.

READ  Schumer calls for probe of China tech / Question raised over threat to national security of NYC subway cars - The Japan News

For instance, look for functionality that makes it easy to manage per-user access and credentials for in-house and remote employees alike.

The best zero trust networks will also use micro-segmentation, which is where a broad security perimeter is demarcated into separate access zones.

That kind of granular approach means critical workloads are isolated from the others or allowed to selectively work together in a way that boosts functionality without forsaking security.

Multifactor
authentication is another important addition to zero trust security. Remember
that the central tenet of zero trust is confirmation of identity for every user
or client of the network. However, simply entering a password doesn’t
constitute identity verification. In fact, it’s only one leg of the famous
security trifecta: something you know, something you have and something you
are.

Therefore,
multifactor authentication could be thought of as the backbone of any serious
zero trust security program. After a user enters a password — something they
know — they may be required to swipe a badge or respond on a secondary device
with a temporary code — something they have. A fully holistic approach to
security would top things off with a fingerprint or retina scan — something
they are.

Should you use zero trust security?

The
last question left is: Should my company use zero trust security? Depending on
whom you ask and the work you do, the answer might be, “You should’ve started
already.”

You
should know by now whether something like the General Data Protection
Regulation in the EU applies to your business model, because it may serve as a
template for similar data stewardship measures in the U.S. and elsewhere.

READ  Music festival inquest: police officer allegedly threatened patron with ‘slow’ strip search - The Guardian

Knowing
your sensitive customer, client or patient data is as well-protected as it can
be means you can get ahead of regulatory and compliance trends. To have a
better idea of whether zero trust is a good idea for you, consider whether, how
and how often you handle information that would cause a significant loss for
you or one of your customers if it became compromised.

Some university data management policies, for instance, create security classification tiers to determine how much of their data falls under compliance protections. They can decide where to apply managed access and other targeted security measures.

Finally, using zero trust security is a way to acknowledge that not every digital threat comes from outside an organization.

It’s not pleasant to think about, but one poll found that 42% of small-business owners named negligence or accidental loss as the reason behind their most recent cybersecurity incidents. Inside jobs are real — and they can come about for any number of reasons, including a disgruntled or just plain forgetful employee.

No matter what work you do, it’s dangerous to assume you’re out of harm’s way or not worth a criminal’s time. Zero trust security offers a way to protect your business or organization from an abundance of threats. Like anything, it’s not bulletproof — but it’s become an essential part of a robust security solution.

Last Updated on



READ SOURCE

WHAT YOUR THOUGHTS

Please enter your comment!
Please enter your name here