In the world of information technology, we should never assume trust. Regardless of where or how we connect our digital devices, we face risks from a variety of real-world cybersecurity threats, whether on-premise or in the cloud. In todays WFH (Work From Home) world, zero trust is more pertinent than ever. In IT as in life, we should not trust but verify.
Zero trust means that computing resources, regardless of their technology, location or protocol are all assumed to be unworthy of trust. This means an iPad connected via 5G and a VPN, a desktop on the corporate LAN and an IoT device are all need unique security scrutiny. Decades ago, we might assume our internal networks LANs were ‘secure’ because most of our resources were internal (on-premise) solutions we owned, controlled and secured. Today our IT resources are hybrid — a mix of on-premise and in the cloud, so these antiquated traditional security boundaries no longer apply. Extending this outward, today’s hybrid computing reality means local resources or those in the cloud must receive equal security scrutiny.
Practical Applications of Zero Trust
Zero trust implies we build and manage our technologies without the assumption of trust. This means our LAN, WAN (Wide Area Network), Cloud all should bear the same notions of fundamental skepticism and scrutiny in design and deployment of our IT resources. We base zero trust in what are realistic assumptions of risks we face in a connected world where a device of any kind is a launching point for a variety of attacks on porous networks. This is a novel approach that requires a variety of fundamental assumptions in design of IT technologies and their deployment. A few assumptions of zero trust are:
- Secure Coding – Any and all code commercial or custom should follow modern secure coding techniques. Training of DevOps & SecOps is a powerful way to reduce risk and embrace zero trust.
- Secure Networks – All networks should have proper segmentation rules to control the actions and behavior of its connected clients. This is end to end on all computing resources.
- Encryption Everywhere – Encryption should be deployed in all cases of data at rest and in-transit. End-to-end encryption can be a powerful tool to keep malicious actors at bay.
- Endpoint Security – Endpoint security products aren’t a panacea, but they help in defending devices in a zero trust environment. Anti-malware suites that protect across the multitude of your devices are especially powerful.
- Patch Everything – All devices should be updated in an automated way with a patch management solution. This includes desktops, IoT devices, tablets, networking gear – everything. This will not stave off zero day’s but it will significantly reduce risks & costs.
- BC/DR (Business Continuity & Disaster Recovery) – In today’s hybrid environments, IT resources are everywhere and so is mission-critical data. Backup is as important as it’s ever been. Critical information resources, wherever they live on-premise or in the cloud, require proper disaster recovery and business continuity.
- End User Security Training – End users can be an asset or liability in terms of risk exposure. Well-informed staff will reduce your risk exposure and costs thereof.
- Least Privilege – End users should only have the level of privilege they require for their job function – no more, no less. This limits the risk of giving someone privileges they could unknowingly or willfully abuse for criminal ends.
- MFA – Multi-factor authentication is an evolutionary step in authentication beyond the simple username/password. In a zero trust model, MFA can provide enhanced authentication security well beyond insecure, legacy single factor authentication.
- Ongoing Penetration Testing – Pen testing or ethical hacking is the active assessment of the security of your IT resources using the same tools and techniques an adversary might. This goes beyond assuming your security is functional to proving that it is.
- Holistic Security – Best practice IT involves a holistic view that secures all our IT resources no matter where or what they are. Zero trust is an imperative to look at how the machine works (as a whole) rather than a single gear.
Zero trust is the reference model for best practice IT architectures. We will not have the luxury of trusting devices, networks or technologies in a world ripe with risk. Although zero trust requires some additional work in the deployment of technology, it is well worth the reduction in risk and cost it affords. Looking for help with your IT security headaches? Evolutionary IT is happy to help, contact us today. What are your experiences with zero trust? Leave us a comment below, we’d love to hear from you.