Home → Insights → Staying on the path to security success with zero trust
Staying on the path to security success with zero trust
Cyber Security
Staying on the path to security success with zero trust
Breaches are nothing new. In fact, there’s an attack every 39 seconds according to research by Astra Security. While every organisation should be doing their very best to reduce their attack surface and prevent attacks before they cause damage, a pragmatic approach is needed to guide people to do so. Credential theft and password reuse are still rife, meaning that credential stuffing attacks continue to be a popular and effective route into your organisation for malicious actors.
From the perspective of defenders, the concept of zero trust has gained significant momentum over the past few years. Many organisations still have implicit trust that the entity logging in is who they say they are, simply because they have matched a legitimate username and password. This in turn, is consistently putting them at risk in a world where that trust requires further interrogation.
The zero trust framework has emerged as a more secure approach than implicitly trusting that whoever is accessing IT systems is who they say they are. At its core, it involves consistently authenticating everyone and automatically trusting no one. It’s not just a one-off product that you can buy and embed into your system. Instead it’s a shift in mindset which involves evaluating every process within your organisation and making sure implicit trust is not followed. Here are three initial steps to implement a zero trust strategy:
1. Start with a mindset shift
To begin with, it’s important to think of zero trust as a holistic approach which goes beyond just the technology itself, defining the principles and processes which steer the overall security strategy. Start with the assumption that any device or system could be compromised. Define what is important to the organisation and how that can be protected. This is also not a one and done job, it needs to instead be thought of as a continual journey. Rather than feeling overwhelmed by the prospect of zero trust architecture as an end goal, start making incremental improvements, which will pay dividends for your security posture.
As zero trust is a journey, start with bringing in “low-hanging fruits” into the zero trust architecture; applications and systems where you can make a big security impact for the lowest effort. Learnings acquired earlier in the lifecycle can then be applied to “crown jewels” – the most valuable or critical business systems to the organisation.
2. Zero trust does not mean zero access
A business does not run with zero access, so don’t confuse zero trust to mean zero access. Identify who needs access to what resources, and then ensure that the access is granted after authentication. Think about the user journey, and then grant access seamlessly so it doesn’t form a roadblock, or is the cause of any frustration for the user. Denying access or adding in a lot of approvals to gain access impacts a business end user’s experience. This may impact the perception of security in organisations leading to thinking that security teams are blockers. By building up that picture of who needs access to what, under which circumstances and with what privileges, a zero trust approach can then feel seamless to the user.
3. Contextualise your access controls
Context Based Access Control (CBAC) may sound like a complicated security measure, but it doesn’t have to be. Context based access control helps in reducing, and in some cases eliminating, implicit trust. Take an adaptive approach to defining contexts based on signals from the device, the network and application. Organisations may already have the required data points needed to achieve this. The key step is to deeply understand the specific risks facing your organisation and re-organising various signals from devices, networks and applications and blending them into a context, before access is granted. This ensures that access is provided based on risk, rather than implicit trust.
Zero trust and CBAC are just one part of a holistic cyber security strategy, but the mindset shift at the core of this approach will have a powerful impact. If you’re just starting your zero trust journey, there’s no better time than now. No matter where you are in this process, keep looking back and reviewing your progress – there’s always more to be done!
Contact us to discuss how 6point6 can help your organisation improve its cyber security and access controls.