As Russia’s actions in the Ukraine further exacerbate geopolitical tensions, with the threat of punitive economic sanctions to be used as a deterrent, some predict ever more sophisticated cyber attacks to come. While trust is in short supply on the international-affairs front, businesses are often too generous when it comes to security and access across a corporate IT network, with many working on the principle that long-term access be granted as job-role requirements dictate.
But when a system is compromised, these lingering access permissions create easy pathways for threat actors, who in some cases can dwell for long periods inside a host system before striking. This is where Zero Trust comes to the fore; removing implicit trust to better protect systems, assets and people. But what steps should IT leaders be taking to improve the security posture of their organisations?
Getting to Zero Trust
Adopting Zero Trust involves always asking for verification of a user or system’s identification credentials, thus vastly improving security. This is of particular importance now that the popularity of flexible and remote working means that IT leaders have many new points of connectivity to secure. Zero Trust is based around a simple philosophy of Never Trust and Always Verify, encouraging greater supervision of the digital environment and the collection of information in the process.
Taking a Zero Trust approach requires a change in planning, strategy and security operations. A comprehensive Zero Trust Architecture (ZTA) implementation, in which the whole roadmap from discovery to implementation is laid out, can seem daunting, but when an end-to-end vision across the consultation and delivery phases of the journey to ZTA can be guaranteed, a more reliable, flexible and future-proof security set-up can be achieved.
While there are many products and services that aim to offer a Zero Trust solution, offerings and their various capabilities can be confusing and might require businesses to become ‘locked-in’ to a certain provider or product range. Fortunately, the National Institute for Science and Technology (NIST) has developed a neutral, vendor-less framework which can help organisations and security professionals to manage their digital space more simply and effectively, addressing the entire IT infrastructure rather than looking for a solution in standalone products. Mapping security solutions to NIST’s ‘seven tenets’ can help to better structure, monitor and protect the connected enterprise.
But in a world where products are often hastily produced in countries with low levels of quality assurance and with poor transparency of labour laws, it is all too easy to seek out and use technologies that have been manufactured cheaply and brought to market quickly. But short-term gain often results in longer-term cost. Speed of deployment should be balanced with a thorough process of due diligence to determine the integrity of vendor, technology, and increasingly the entire supply chain. Working closely with a trusted partner that operates in accordance with ethical codes of conduct will provide assurances of corporate governance and closer scrutiny of working practices.
With the pace of digital transformation accelerating faster than ever, getting to Zero Trust by adopting NIST’s framework and working closely with providers that demonstrate integrity, adherence to ethical methods and a rigid pursuit of trustworthy development practices, represents a much clearer vision for robust security across the enterprise, and a stronger pathway toward success.
By Ian Collard