Zero trust – what should a best practice strategy look like?



It can seem as though zero trust is today’s security buzzword – overused to the point of cliché. Certainly, a lot has changed since 1994 when zero trust was first coined. Data and apps have migrated to the cloud, no longer adhering to corporate file-based access or domain-oriented controls. Data is now structured differently, if structured at all.


Today, amid the pandemic and the rollout of remote work, the volume of unstructured data has ticked up at pace and inevitably breaches have increased: a July 2021 report[1] from IBM and the Ponemon Institute puts the cost of data breaches at an average $4.24 million per incident – “the highest cost in the 17-year history of the report.”


In this new environment, a modern approach to zero trust is needed if we are to find a best practice solution for our increasingly digital workplaces.


Best practice: building the right architecture


First, we should perhaps be clear on what zero trust is and what it isn’t. A zero-trust architecture requires that every digital request on your business’s network proves its provenance and ID before it’s accepted. In other words, a breach of security is always assumed.


Crucially, using a ‘never trust, always verify’ method creates much-improved levels of data resilience. With this operating principle in place, zero-trust technology can be quickly applied.


Businesses should consider bolstering their backup security by using multi-factor authentication and identity and access management while investing more in employee security awareness. This is a good tactic because, whatever your business’s product or specialty, your staff are often the first to notice suspicious behaviour.


Another factor to consider when working towards best practice is that many remote-working set-ups are based on legacy models. These are now increasingly unfit-for-purpose. So, migrating to a new cloud-based system makes sense.


Zero trust solutions can run in parallel with existing arrangements while the legacy systems are phased out. They’re easy to tailor, flexible and adaptable.


Ultimately, though, your zero-trust architecture should be anchored in these three key areas:


1. Watch your supply chain In the past, businesses haven’t always undertaken due diligence on third parties. So, you need to understand their security position. If a third party needs a constant connection to your network, their barriers or borders become yours.

2. Deploy identity and access management

With any account management, who does what? Role-based access control is important. Two-factor authentication or advanced authentication isn’t necessarily enough to protect from online digital abuse. You may need another mechanism to define what the user can actually do once authenticated.

3. Monitor your assets

Micro-segmentation supports zero trust so you can manage traffic between different assets on the same network and between networks. It supplies traffic visibility passing between those assets and the ability to control and limit such traffic to reduce the risk of a breach.


How we’re helping


Recently, we’ve been working with a UK insurance company with 3,000 users. We’re helping them with a privilege and identity access management system which in turn is increasing the business’s visibility over its supply chain.


Prior to our engagement, they were using a VPN site-to-site, with limited control on what a 3rd party can access but we’ve now introduced a solution that really improves their control, usage, monitoring and alert capabilities should a suspicious event occur.


We’ve also introduced micro-segmentation to create traffic visibility and limit the connections between separate applications and networks.


Essentially, we’re reducing the probability that someone will try and abuse their access to the client network, be it a hacker or a rogue employee. The solution we’ve deployed allows the company to not only control who can access assets and applications but also enables them – when and if access is granted – to monitor and record all user activity.


Ultimately, zero trust is both an authentication strategy and a consistent security policy across a network’s infrastructure, implemented in line with the needs of users and connected technologies. That’s why using a combination of macro-segmentation and micro-segmentation, with the possible quarantine in case of a breach of security rules, ensures the highest degree of security.


For companies and organisations, it is a question of ensuring all IT hardware, in addition to peripherals, is secure and employees are protected. In an increasingly volatile, uncertain, complex and ambiguous world, a modern zero-trust approach is well placed to deliver on these business goals.

[1] https://newsroom.ibm.com/2021-07-28-IBM-Report-Cost-of-a-Data-Breach-Hits-Record-High-During-Pandemic