CYBER SECURITY
Exploring the Myths of Zero Trust By Guy Matthews, Editor of NetReporter
44 | Cyber Risk Leaders Magazine
Z
ero Trust is not a technology. It’s a state of mind, or perhaps a philosophical stance. So believes Rik Turner, Principal Analyst, Emerging Technologies with consulting firm Omdia: “It's a mindset, and as such it involves as much of a cultural change in a company as it does any actual technology that you're going to use to enable it,” he says. Step one of this culture change, he believes, is to move away from previous security paradigms, such as ‘trust but verify’. “You used to log on at the gate, and they would check who you were, verify you, and once you were in, that’s it,” recalls Turner. “That no longer holds. It's faulty and extremely vulnerable. The Zero Trust mentality is summed up as ‘never trust, always verify’.” Zero Trust, he says, means no trust for any employee, partner, partner’s employee or contractor, at any time: “It’s across the board, from your internal employees all the way through to the third parties that you let interact with your system. No more trust for any of them.” The future of getting on to a network lies in authenticating all parties, their identity and the security posture of their device every time they request access to any individual asset within your infrastructure: “It’s about asking for access to a particular application, to a specific asset, to a particular database, and even then only if they meet all the criteria,” notes Turner. “There may be criteria such as time of day. We don't want just anybody dialling in at two o'clock in the morning, because that's a bit strange. Equally we don't want people who normally log in from the UK to suddenly dial in from China. There will be geographic limits here and there that you yourself can choose and set
in order to frame the authentication and authorization of that individual.” It is also important, says Turner, to continuously monitor what a person does once admitted to a network in case another individual hijacks their account: “Suddenly there's somebody else who appears to have been authenticated at the entry point. So you have to keep an eye on them effectively throughout a session looking for anomalous behavior. Then you can either block them altogether, kill the session, or if you have some level of confidence that it is still them, you'd like to reaffirm that confidence.” Turner talks of Zero Trust as sometimes seeming akin to ‘institutionalized paranoia’: “It would certainly be seen as paranoia in your social life,” he notes. “But we are talking about your corporate existence, and the need to defend your corporate assets, your data, your infrastructure, even your people, and sometimes Zero Trust is going to meet resistance. There will be people within your organization who say ‘this is a bit extreme isn’t it?’” To broaden the conversation, Turner talks to a select panel of security experts from around the tech sector to find out what they are doing to help customers embrace Zero Trust. “We tell them it’s about trying to give every device, user, anything that enters your network, the absolute lowest level of privilege that you can possibly give to them,” says Jordan LaRose, Director of Consulting and Incident Response, Americas with F-Secure. “But it's not like you have to throw the baby out with the bathwater. You don't have to completely strip out everything in terms of privilege. You
