And why should my organisation adopt it?
Traditional ‘trust’ doesn’t work for modern, connected enterprises
Zero Trust is a fundamental concept in identity and access. But let’s firstly think about what ‘trust’ itself is like in security terms. Traditionally, it works a bit like a castle and a moat. Everyone outside your organisation has to ask for the drawbridge to be lowered so they can get in.
Providing that they have the right username and password, the bridge will come down and they’ll be allowed inside. And that will be the end of that – they’re trusted not to do anything dastardly within the castle walls.
As we can see, this assumes a lot of things about traffic coming into your enterprise. Lots of identity and access management solutions that took this stance were commonplace only a few years ago.
Naturally, they are now impractical for organisations seeking to work with the most business-friendly technologies for identity and access management. Nowadays, the idea of digital ‘trust’ – a time-defined, contextual license to roam around your organisation’s internal apps, services and networks – is becoming unworkable.
But many organisations still have them in their identity and access infrastructure. This is a risk, and it’s often going undetected until there is a security breach.
Teleworking has made ‘trust’ impossible in a digital environment
Indeed, this is even more pertinent today. As you read this, the shift to working from home is only accelerating the decline of traditional, trust-based security. As many employees are working from outside your organisation’s network, new security demands have caught many employers unawares.
Many have neither the time nor the expertise to understand that their identity and access management systems have become outdated. When clients and colleagues are working outside your organisation’s digital environment, you need to be able to understand the nature of the users and their activities in your systems, 24/7. This wasn’t always necessary before.
It is now.
It means that, without the right systems to bring key stakeholders the right intelligence, at the right time, about users and usage patterns, organisations become vulnerable to attack, as they cannot react quickly enough.
What should I adopt instead?
A really safe approach to securing your organisation should mean that you can answer these questions:
- Who do you trust to access and control data?
- When should you trust them?
- What applications and services do they need?
The way to do this is to never offer the castle and moat view of trust and implement a Zero Trust architecture. This is a standard devised and regularly updated by the US Government’s National Institute for Science and Technology (NIST).
It does away with the free roam around your environment. In its place, you stay in a mindset that your systems could always be breached, instead of assuming that users in your digital environment will always behave the way you’d want. This means making all internal stakeholders visible and accountable for what they do while working for, or with, you in your organisation’s digital space. Everything is logged and monitored for total transparency.
And by protecting your most vital assets with flexible, just-in-time rules and software functions, in order to minimise their exposure to breach, you can isolate risk in a very specific way. This makes access to these areas of data as narrow and as rule based as necessary for your organisation’s security needs.
With this approach, you know who has access, as your systems will always demand a credential with multiple identifying features about every user (location, username and password, two-factor, etc.). You know when and for how long they have that access, as your systems will monitor this. You know what applications and services they are using with the access they’re given and what they’re doing with them, again using the monitoring function – which will sound the alarm if it perceives activity that is out of ordinary, day-to-day usage patterns.
The big picture on Zero Trust
Once you’ve got all this information, you can fully understand the activities and behaviours of everyone in your organisation’s digital environment. This is then easily available in the event of a breach, audit or system failure. It saves money and time while offering a solid platform to reassure colleagues and clients alike that their information is always securely locked down. It also lets you quickly identify and segment network traffic and pick out actors who shouldn’t be there, in a way that a simple username and password can’t manage.
Most importantly and handily for organisations of all sizes, Zero Trust works with legacy applications. You can wrap this approach around more dated systems and portals that are currently in place. This way, you can get the security for your clients and employees, as well as vigilance on user activities, without causing massive outages and inconvenience, and without replacing systems. Zero Trust is better for you, for your organisation’s data integrity and, in these strange times, for its adaptation to the permanent shift in working from home.