What Is Zero Trust Security?
Ever since cybersecurity first became an issue, we’ve been trying to protect data. Traditionally, we’ve assumed that all threats would come from the outside and that everyone within our network was “safe.” Several high-profile hacks proved that theory false, but it didn’t change how we did things.
Trust but Verify
Then, in 2010, John Kindervag, then a principal analyst at Forrester Research, Inc., announced a different model for securing data. This model, called zero trust security, had a more realistic premise: no one can be considered safe, whether they are inside or outside the perimeter of the particular system, because hacks can come from anywhere. “Trust but verify” applied to everyone, whether they were inside or outside the network. Kindervag’s model has evolved, but his core concept has remained: your network is only as secure as the user’s level of access.
This shift in how people think about security caught the attention of IT professionals. In fact, IDG’s 2018 Security Priorities Survey found that 71% of security-focused IT decision makers were aware of the zero trust model, 8% were actively using it in their organizations and 10% were piloting it.
Zero Trust Security
Zero trust security is based on an identity and access management (IAM) system. IAM systems begin with the premise that your network is being accessed by users and devices in unsecured locations, such as a coffee shop or an airport, so individual users must be identified as “friends” before they can gain access. Note that some systems are more sophisticated than others and that businesses need to conduct an in-depth analysis of the how, when, where and why different users might want to gain access. Zero trust systems are used in to enhance security in two primary ways:
1. Priviledged access: Privileged access grants as-needed access to different levels of employees. For example, salespeople might have access to data concerning their customers, whereas sales managers might have access to their direct reports’ data. Neither group would have access to manufacturing data because that information is not directly related to their jobs.
Each level of permission unlocks additional data. Each unlocked data level (or microsegment) increases the company’s risk exposure. Consequently, once the user is identified, the IAM system verifies every element of access whether it is stored on the company’s in-house servers, in the cloud, or managed by third-party SaaS apps.
2. Integrated multifactor authentication: MFA is another important aspect of zero trust security. It should be in place for all privileged accounts and business-critical systems. The two types of MFAs are flexible authentication policies and risk-based authentication:
- Flexible authentication policies both enhance security and provide ease of use.
- Risk-based authentication is a form of strong authentication that calculates a risk score for any given access attempt in real time. For example, a user might be locked out if he or she used an incorrect password too many times within a set time period. Certain situations require multiple levels of identification.
Cybersecurity is a complex area that is only becoming more important. This may be the time to think about how your data is protected. Contact us to discuss zero trust security implementation at your business.