previous arrow
next arrow
Slider

Zero trust: an answer to cybersecurity

 Published: August 30, 2022  Created: August 30, 2022

By BM Zahid ul Haque

CYBERSECURITY is in an uproar. The volume, velocity and aggressiveness of cyber attackers continue to increase. For a cyberattack in an organisation, it is not a matter of ‘if’, but it is a matter of ‘when’. In the new ‘digital normal’, traditional perimeter defence is no match against the influx of cyber threats coming from all directions. Cybersecurity needs to be viewed holistically by organisations, not by sporadic action after an attack.

Zero trust is an evolving set of cybersecurity paradigms towards a more comprehensive information technology security model. It allows organisations to restrict access controls of networks, applications, and environments without sacrificing performance and user experience. Zero trust is more of a ‘concept’ or ‘idea’ than a specific technology platform. It has shifted security from static, network-based perimeters to a more particular focus on users, assets and resources.https://www.newagebd.net/files/ads/nagad/index.html

It follows zero trust principles to plan industrial and enterprise infrastructure and workflows. The zero trust concept is based on the belief that organisations should not automatically trust anything inside or outside the perimeters. It is a must to verify anything and everything trying to connect any systems before granting access. In short, a zero trust approach trusts no one.

Zero trust is a concept

ZERO trust assumes that no implicit trust is granted to any system or user solely based on location or asset ownership. Authentication and authoridation are discrete functions performed before a session to an enterprise resource is established. Zero trust protects resources such as accounts, assets, networks, services, workflows, etc. The core idea of zero trust is simple — ‘assume everything is hostile by default.’

The zero trust approach relies on various technologies and processes to secure the enterprise IT environment. As a result, zero trust requires ongoing effort. Yet developing a zero trust security is not about implementing any individual technologies. Instead, it is about using technologies and processes to enforce the idea that no one and nothing has access until they are proved to be trusted.

While designing zero trust, it is, therefore, crucial to consider continuous monitoring and validation, identity and access control, least privilege, device access control, zero-trust network access, micro-segmentation, endpoint protection, and preventing lateral movement, and multifactor authentication, etc.

Basic zero trust assumptions and principles

ZERO trust is built on the following basic assumptions: the environment is at risk all the time; there are both external and internal threats from beginning to end; the location is not enough to determine the credibility of the environment; all users, devices and network traffic are to be authenticated and authorised; and security policies must be dynamic and calculated based on as many data sources as possible.

Based on the assumptions, the zero-trust model is believed to adhere to the following basic principles:

Authenticate users: Assess user security based on location, device and behaviour to determine if the user is who the person claims to be. Then, take appropriate measures (such as multifactor authentication) to ensure user authenticity.

Authenticate devices: Whether corporate devices, BYOD (bring your own devices) or public hosts or laptops or mobile devices, implement access control policies based on device identity and security. Only trusted endpoints are allowed to access company resources.

Restrict access and permissions: If users and devices are authenticated, implement a role-based access control model for resources, giving them the minimum clearances to complete the work at the time.

Adaptive: Various sources such as users, their devices, and all related activities, consistently produce information continuously. Leverage machine learning to set context-sensitive access policies and automatically adjust and adapt to policies.

Getting started with zero trust

TODAY, the basic zero trust concept has been determined, but how to make various technologies meet the standard remains a difficult question. Sometimes, zero trust being misused as a marketing term by different vendors creates significant confusion. There is no specific technique or technology used to implement zero trust security. However, security solutions can assist in implementing zero trust principles. When designing a zero trust model, the organisation’s security and IT teams should first focus on answering a few questions:

What are you trying to protect? From whom are you trying to protect it? What are your current threats and vulnerabilities concerning the user, device, network, application, and data security? Are you able to stop a ransomware attack or data leaks? Are insiders capable of stealing your corporate data, and how many people have access to sensitive information? Do you already have a zero trust strategy and a phased implementation plan? Are you enforcing zero-trust policies enterprise-wide?

Zero trust is not a project

WHILE there is not a single, one-size-fits-all that can provide cyber defence against all possible cyber-threats, any framework will inform how to design the model. In line with this, the most effective approach is to layer technologies and processes on top of the plan, not the other way around. Organisations can also take a phased approach, starting with either the most critical assets or a test case of non-critical assets, before implementing zero trust broadly. A maturity pre-assessment may also help to identify the stage of the organisation’s journey towards enterprise zero trust implementation.

Organisations can follow the steps during implementation: form a dedicated zero trust team; assess the environment; review the available technology; strategically plan integral zero trust activities; define operational changes; and implement, rinse and repeat.

Zero trust is a journey

FOR many reasons, zero trust initiative fails, eg, not considering enterprise-wide enough across all identities, failing to shift the mental framework to focus on continuous verification and pursuing this strategy in a fragmented fashion. One additional point of failure is thinking small and short-term. Zero trust initiatives must have full sponsorship. Leadership and stakeholder’s support is crucial. A comprehensive zero trust programme requires participation from multiple departments within the organisation.

While no security strategy is 100 per cent perfect and probably cyber-attack or breaches will never be eliminated, zero trust is still among today’s most effective strategies. Zero trust allows organisations to implement better access control, contain breaches, protect assets and mitigate the potential damage. However, it might waste time, effort and resources without a carefully planned architecture and adaptive strategy. Implementing a flexible and dynamic cybersecurity strategy is vital to becoming cyber-resilient.


https://www.newagebd.net/article/179507/zero-trust-an-answer-to-cybersecurity


No Thoughts on Zero trust: an answer to cybersecurity

Leave A Comment