SMB cyber security – time for zero trust

 

In the digitisation age, data increasingly is becoming ‘the business’ and hence the pressure to protect data and users from more sophisticated attacks calls for new more effective ways of cyber protection. Statistics show that the battle to protect data is not heading in the right direction, unfortunately, according to Gartner the number of breaches are increasing as are the average number of records affected. At the same time, businesses are spending more money on security. So how can the security effectiveness gap be reduced? 

One approach that is gaining currency and is slated to become predominant security architecture in the next few years is Zero Trust.  

Zero Trust Architecture for networks was devised by Forrester Research analyst John Kindervag in 2010. The essence of Zero Trust is that perimeter security is inadequate for today’s security threats. The approach should be that no one inside or outside of the organisation should be trusted and users should only be granted access to resources after the user and their device are identified.  

This reminds me of one of my favourite lines from the X Files, “trust no one, be afraid, be very afraid”. OK probably not totally relevant but I just thought I would work it in. 

Both enterprise Information Security Officers and IT suppliers are embracing Zero Trust as the most effective approach. 

Zero Trust addresses the tendency to leave default settings on systems and the fact that many businesses take a very egalitarian approach to internal users – everyone is equal. Also, many organisations do not implement a 2-factor authentication system and can rely on usernames and passwords stored on text files or worst still post-it notes. Generally protecting the perimeter is seen as the main security priority. This approach has been in recent years shown to be fatally flawed. When you consider attacks such as Nyeta, WannaCry etc, the hackers experienced very little resistance once they breached the perimeter and gained access to the network. The network perimeter is increasingly becoming a very blurry concept. As the way we work evolves, cloud services are becoming predominant, users are working remotely, branches are connecting directly to the Internet. So, the Zero Trust approach can easily adapt to the changing landscape because it ensures that security is pervasive.  

 

Some keys steps associated with Zero Trust are outlined below: 

User Identity – verify user identity before granting access to applications – use secure systems such as 2 factor authentication to identify users 

Device Visibility – gain visibility into devices users are accessing systems with, are they corporate managed devices or not 

Device trustworthiness – establish the posture of the device accessing systems, check if the device is secure has up to date security configuration such as endpoint protection and is patched to approved levels – access will not be granted if devices do not meet minimum security levels 

Enforce policies – define a granular policy of which users on which devices can access which applications providing that they meet the minimum security levels 

Secure all apps – enforce secure access to all apps irrespective of user location and based on single sign-on irrespective of user location 

Zero Trust is gaining currency and it is likely that you are already subject to such an architecture where you access other cloud systems. It will likely be a valuable and effective option for you to deploy in your environment if you haven’t done this already. In a future blog, we will look at some best practices for deploying a Zero Trust architecture.