A realistic approach to the challenges and benefits of zero trust security.
Constant vigilance and suspicion are necessary in today’s world of sophisticated cybercrime and digital security threats. It’s not surprising that zero trust is a popular concept. It means that organisations should not trust anything inside or outside their digital perimeter. Anything (or anyone) trying to connect or gain access is treated as a new connection that needs to be verified itself before authority is granted. That goes for people, devices and applications.
Zero trust is a heavily used buzzword, inspiring confidence when it’s used by cyber security and technology experts to imply a completely secure technology environment. The reality is that almost no-one in the security industry can deliver true zero trust without shutting down every connection and paralysing digital infrastructure. End-to-end zero trust is an academic concept – it’s not workable for the vast majority of contemporary organisations.
Zero trust has also given rise to another less positive catchphrase – ‘zero trust-washing’. Just like greenwashing in environmental circles, zero trust-washing is hype without action. Empty talk about zero trust can create a perception of robust security, when the reality is very different.
So how can you use zero trust in a practical way in a real-world environment? The trick is to apply the relevant aspects of this rigorous security approach in a pragmatic way that meets your specific requirements.
Make sure zero trust isn’t a barrier to workforce productivity
The challenge for smart CISOs and technology leaders is to deliver the key benefits of zero trust in a highly secure cloud infrastructure without excessive expense, complexity or purism. That means making sure it supports effective business operations rather than constraining them.
When you adopt the best elements of a zero trust approach, you need to make sure that employees can still access the systems, tools and data they need without disruption to their productivity. With hybrid and remote working commonplace and many applications residing in the cloud, there’s a lot of digital traffic from inside and outside your organisation – you need to supervise it closely. But it’s an own goal if your zero trust approach makes it harder for workers to do their job offsite.
Zero trust is a wide-ranging approach, not a software solution
The term zero trust was coined in 1994 in an academic paper at Stirling University. The author argued that trust can be defined mathematically – it’s a purist approach with its roots in academic theory. It wasn’t until 2018 that American cyber security researchers recommended zero trust architecture as fundamental to organisations’ cyber security planning.
Since then, the approach has been embraced by digital security specialists and CIOs in the US, UK and worldwide – but inevitably, there are differences in understanding and execution. Despite the neat name, there’s no off-the-shelf security product that can simply and completely switch on ‘zero trust’.
Putting aspects of zero trust into effective practice in your organisation is a strategic activity: it requires careful assessment of your existing data and technology estate and a definition of policies and principles to be applied when you acquire new digital solutions or make changes to your infrastructure.
Adopt key zero trust principles as part of your overall security strategy
In reality, zero trust almost never provides an absolute guarantee of security. That reassuring ‘zero’ we mentioned earlier, implying that nothing can penetrate your digital fortress, is unhelpful in this respect. The aspects of a zero trust approach that you can apply pragmatically will greatly reduce your vulnerability to security breaches and you’ll be better protected against malware, but it’s not inviolable. And its important to know this, to avoid complacency. As in every area of cyber security, criminals are developing sophisticated hacking techniques all the time, so monitoring and responding to the latest threats is as important as ever. Zero trust in the real world does not eliminate all security risks – phishing and exposure of sensitive data can still take place, for example.
Microsoft’s need to protect its global reputation and billions of users makes it a leader in zero trust security. Its approach is one of using zero trust principles to empower employees, rather than to constrain them. That includes allowing workers to use their own devices to access systems, with robust security checks that are quick and easy for users to fulfil. Microsoft recommends single sign-on, multi-factor authentication, password-less authentication and eliminating VPN clients. At Six Degrees, we support this approach.
You need a trusted partner to get the best from zero trust
There’s no one-size-fits-all solution when it comes to zero trust approaches. Every organisation needs to address all its applications and infrastructure, including legacy systems. But there are some key areas of focus when defining and implementing your security strategy that includes the best elements of zero trust:
- Implement a common identity management system
- Apply adaptive access controls
- User-to-application segmentation
- Workload-to-workload segmentation
Zero trust principles form an important part of a strong strategic approach, but in the real world, successful cyber defence depends on rigorous, expert and thorough planning and execution, along with ongoing review and continuous improvement in a constantly evolving cyber security landscape. Working with a specialist cyber security partner to implement and manage practical zero trust protocols gives you access to deep and current knowledge and experience of the approach which can be difficult to sustain amongst your own team. It’s an area where focused, specialist support from a third party really can deliver value and insight that may be resource-intensive and difficult to establish internally.
If you’d like support or advice on adopting, assessing or improving zero trust protocols in your organisation, talk to the expert team at Six Degrees.
About the Author
Chris Cooper is Cyber Security Practice Director at Six Degrees. At Six Degrees, we’ve been helping organisations confront cyber security challenges for over 15 years. While cyber threats are always developing, our experience and industry presence are testament to our ability to stay ahead of emerging threats.
Subscribe to the newsletter today
Our Cyber Security Practice Director Chris Cooper talks…