As the cybersecurity landscape becomes more complex, security professionals are constantly looking for ways to create a ‘future-proof’ cybersecurity strategy.

Such a strategy would ensure that when new attack methods are discovered, organisations would not need to implement new tools or procedures to keep their data, networks and devices safe.

There are a few security strategies that aim to do this, from defence in depth to continuous threat exposure management, but none are as comprehensive and successful as zero trust.

This article will discuss the core principles of zero trust, and how businesses can implement the strategy, including best practices to follow.

What is Zero Trust?

Zero trust is a modern security paradigm designed to mitigate risk and reduce the impact of a cyberattack. In its simplest form, zero trust assumes that all individuals, devices, servers and identities that are attempting to access company resources cannot be trusted, even if they are on a trusted network.

This is in stark contrast to traditional IT network security, which is based on the castle and moat concept. The castle and moat concept is where everything inside the castle, or the organisation’s network, is safe and can be trusted, and the moat will keep attackers out.

Defence in depth is another concept, where multiple layers of defence are added outside of the moat to further reduce the chance of an attacker making its way into the castle.

There is a fatal flaw in the castle and moat concept. If an attacker manages to make their way into the castle, they have free reign to do whatever they want, as everything is open and accessible. This fact flaw is made worse by the fact that modern businesses utilise many services and store business critical or sensitive data in multiple places, across numerous cloud services.

Using the same analogy as the castle and moat, with zero trust, you should assume that there is an attacker in the castle, therefore no one can be trusted unless they can verify that they should be there and have access to the goods inside the castle.

Core Principles of Zero Trust

Now that the concept is zero trust is understood, there are core principles which underpin zero trust and need to be implemented to keep a business secure.

Verify explicitly

The first principle of zero trust is to verify explicitly. This means that the identity and authenticity of every user, device and server must be verified before they access any data. This principle closely relates to multi-factor authentication (MFA), as it requires users to verify multiple data points before being given access to a system.

Use least privilege access

Least privilege access means that users should only be given the minimum access level required for them to do their job. In standard terms, this means that a customer service employee does not have access to files and information that they do not need, for example, they will not have access to finance data, just as finance employees will not have access to the CRM.

This means that if an attacker does gain access to a user account they are not able to access all files and data within the organisation.

Assume breach

Within zero trust, businesses should always assume that there is an attacker in their network. This relates to verifying explicitly, as even if there is a breach, the attacker will not be able to be verified.

Every day there are more than 600 million attempted cyberattacks, meaning it is highly likely that at some point in time, any business will be involved in a breach. Zero trust ensures that the breach will be quickly identified and the impact will be minimised.

Segmentation

To minimise the risk of lateral movement and to enable least privilege access, security parameters need to be broken into smaller zones or segments.

This means that each employee has permission to view or edit a specific segment, once they are verified. This also simplifies identity and access management.

Steps to Implement Zero Trust

Implementing zero trust is a lengthy process that requires in-depth planning and project management. Poor implementation or communication from the project group to the wider business can frustrate employees and cause them to find a workaround which reduces an organisation’s security posture.

Define and assess the current attack surface, security posture and controls in place

Before any zero trust principles can be applied, an organisation must assess their current attack surface and what controls are currently in place. This will help prioritise where to initially focus, and understand if the existing security solution will suffice for a zero trust approach.

Identify critical assets and data

From defining the attack surface, most businesses will have started to define what the most critical assets and data are. Categorising and tagging this data will help when implementing least privilege access and segmentation.

Some categories that assets and data may be added to are:

Unclassified: Public domain information (i.e. product brochures, newsletters, information on a company website)

Protect: Employee and recipient only (i.e. security processes & operating procedures)

Restricted: Management only (i.e. complaints, company appraisals, budget information)

Restricted Print: Restricted with the ability to print

Confidential: Very sensitive information (i.e. accounting data, salaries, business plans, contracts and NDAs)

Confidential View Only: Confidential with view-only permissions

Confidential Print: Confidential with the ability to print

During this phase, assets and data should also be categorised by the department or role that needs access.

Implement multi-factor authentication (MFA)

One of the most important technologies that underpins zero trust is multi-factor authentication as this will be the primary method of verifying explicitly.

There are many authentication providers available, however most businesses will have access to multi-factor authentication through their Microsoft 365 subscription.

Microsoft Purview is Microsoft’s data governance and compliance platform and includes functionality that forms the foundation of a strong zero trust deployment.

Segment network and assets and enforce access controls

Now that your business has defined access groups, sensitivity labels and a method to enforce least privilege access and explicit verification, it is time to start deploying the solution.

This stage should be implemented in a phased approach. This will ensure that any issues will not prevent the entire workforce from accessing business-critical information, but also help with user adoption and understanding.

Monitor and log all activity

Once the implementation is complete, all activity needs to be logged, monitored and regularly reviewed to ensure that zero trust is maintained. No business is stagnant, and as business needs change, policies and procedures need to follow suit.

Best Practices for Zero Trust Implementation

Regularly update and patch systems

Zero trust significantly reduces the risk of falling victim to a cyberattack and the potential impact of a cyberattack, but it does not stop bad actors from exploiting known vulnerabilities.

If businesses go through the effort of implementing zero trust, they should also follow other security best practices, including timely application of patches and security updates.

Conduct continuous security training

Some employees may find zero trust to be frustrating, especially if they are coming from a very open environment where they could log in once and then access all company files.

Security training will overcome this challenge by making employees aware of why these policies are being added. It will also help with building a culture of security and detecting an attack or attempted attack.

Use advanced threat detection tools

Monitoring activity logs is a key component of zero trust, but typically manual monitoring is not enough to catch a threat before it is too late.

Modern threat detection tools make this process easier by creating a baseline of what ‘normal’ looks like for different devices, workloads, users and groups. If anything deviates from that normal, it will flag it for a human to review.

Establish incident response plans

Zero trust relies on organisations always assuming there has been a breach. With this being a fundamental concept, businesses should be ready for what happens when they encounter an actual breach.

Establishing and testing an incident response plan ensures that everyone knows what to do to contain the threat and recover after a cyber incident.

Be realistic with timescales

Implementing zero trust is a lengthy process and a serious undertaking for businesses of all sizes. Working with a trusted provider can shorten the time for implementation, but such a project can take from 6 months to over a year.

Setting a realistic timescale will help with budgeting for the project and setting expectations for key stakeholders. The journey to zero trust also does not need to be completed in a single project. Even just having a project where the scope only includes identifying critical assets and data, will help improve overall security posture.

How We Can Help

Our dedicated team of security experts is here to assist you in seamlessly integrating zero trust principles into your business operations. We offer comprehensive security assessments to identify vulnerabilities and create a tailored action plan.

With our advanced threat detection tools and continuous monitoring services, you can rest assured that your digital assets are protected around the clock. We also provide customised security training to educate your employees on the importance of zero trust policies and how to recognise potential threats.

If you want to get started on implementing zero trust within your organisation, contact us today.