Scott McKellar is currently a Technical Consultant at Mimecast where he has been since early 2019. Scott has been working in the technology industry for fifteen years and is passionate about technology & security. Scott enjoys understanding his customers and prospects often complex business challenges and aligning them with technology to solve problems and add value. Prior to his role at Mimecast, Scott headed up the technology team for an Australian leading Wi-Fi analytics SaaS and IaaS provider; Discovery Technology (a Data#3 company).
With companies transitioning to cloud-based systems and the rise of remote working, the Zero Trust model has been gaining momentum across many organisations as the demand for security increases. According to data from 2019, 78% of cybersecurity teams had implemented this model or at least were planning to make the move. Let’s break down the idea of Zero Trust and see what makes it such a compelling security model for modern enterprises.
The security perimeter is evolving
Perimeter security aims to build a border between the corporate network and the rest of the world. In this strategy, the interior of the perimeter then becomes a ‘trusted zone’ - a digital environment in which users, devices, and applications are assumed to be secure and can freely connect to exchange data.
But the well-defined border of the “perimeter” is growing fuzzier as the number of mobile devices, IoT devices and use of third-party cloud services increase. These days, a sizable chunk of corporate resources are scattered offsite, many of them run by third-party providers located overseas. Trying to wall off these moving parts within a single secure environment is just not practical.
Data-driven organisations needed a better way to secure their key resources, which is how the concept of Zero Trust evolved. Zero Trust abandons the internal-external environment distinction and focuses instead on securing individual ‘nodes’ or corporate resources. These nodes can be individual devices, databases, mini-networks, or cloud services. In this model, users, devices and applications are subject to checks every time they request access to a node.
Putting Zero Trust to work
Any Zero trust system is built on a few core principles, designed with the assumption that anyone or anything accessing a node is untrusted, and needs to be verified before being granted access. Let’s take a look at what they look like in practice.
Protecting nodes instead of the perimeter
Unlike the classic approach, which tries to provide blanket perimeter protection, the Zero Trust model breaks down corporate infrastructure and other resources into decentralised nodes, which can consist of as few as one device or application. The result is lots of mini-perimeters, each with their own security policies and access permissions. This allows flexibility in managing access, meaning that if one node is compromised, the rest can carry on relatively unaffected, blocking the spread of any malware or security risk.
Establishing a “protect surface” instead of reducing the attack surface
Zero Trust focuses on establishing a “protect surface,” which includes only the assets an organisation needs to keep secure - confidential data, infrastructure components, etc. By comparison, the attack surface includes all potential points of vulnerability across a given environment, including infrastructure assets, processes, and malicious actors. By focusing on securing specific nodes versus trying to protect the entire network against every possible external threat, a protect surface can be considerably smaller and easier to manage than an attack surface.
Mandating user authentication and the least-privilege principle
In Zero Trust, for each session, every user, device, and application must pass the authentication process and prove that it has the right to access the data requested. Each user is also granted only the minimum privileges they need to perform their designated task. By structuring security requirements this way, if an account is hacked or misused, it wouldn’t be able to spread very far and the damage can be contained.
The challenges of deploying Zero Trust
The transition to Zero Trust can prove lengthy and cumbersome for many organisations. If your employees use both office equipment and personal devices for work, for example, then every piece of hardware must be inventoried, security policies must be set up on all work-related devices, and access rights for non-registered devices must be revoked. For large companies with branches in multiple cities and countries, this can easily snowball into a huge logistical nightmare.
To make things even more complicated, not all systems are well-suited to Zero Trust. If your company has a complex infrastructure, for example, it may use legacy devices or software that can’t support current security standards. Replacing or updating these systems will mean a huge investment in time and money.
Then there’s the human element. Your employees, including members of your IT and cybersecurity teams, may not be too thrilled about the new framework. Zero Trust means a big reshuffle of data rights, procedures and responsibilities, as well as the banning of ‘shadow IT’. This can leave some users feeling annoyed and inconvenienced, especially those who prefer using their own hardware or apps to get work done. If your organisation uses external contractors or consultants, the tangled issues of access privileges and BYOD (Bring Your Own Device) policies can make matters even more complicated.
The practical way forward for these organisations is to gradually introduce Zero Trust systems into their infrastructure, piece by piece. Even Google needed seven years to implement the BeyondCorp framework, which is based on the Zero Trust model. In most cases, implementation time should be shorter for organisations with smaller IT footprints, but even so, it’s not a small project. It can take anywhere from a few months to even years to fully transition to Zero Trust.
Why Zero Trust is the security design of the future
Transition to Zero Trust may seem too costly for many organisations, but it’s important to take a holistic view of the outcome. On an ongoing basis, the organisation will benefit from lower cybersecurity costs, fewer incidents and the convenience of being able to upgrade individual nodes as per need without needing to overhaul the entire system.
With the increasing adoption of cloud-based services across the board, as well as growing demand for more flexible IT infrastructures, Zero Trust is soon likely to become a standard part of security design for all modern organisations.