Skip to main content

Zero Trust: Cybersecurity’s next step

security
(Image credit: Shutterstock / Golden Sikorka)

The 20th anniversary commemoration of 9/11 to remember those lost on that tragic day serves as a stark reminder of the role that terrorism continues to play in our own country and around the world. But, it also served to highlight that while the potential for physical terrorist attack has certainly not gone away, the nature and scope of hostile attack has evolved and taken on an ever more sinister guise. The cyberattack on the Colonial Pipeline in the US, which carries 100m gallons of fuel each day and services seven airports, draws attention to the vulnerabilities of major targets now in the sights of criminal gangs, terrorist units and nation-state threat actors.

In May 2021, US President Joe Biden made an announcement that would change the way we think about cybersecurity: the US had to improve its digital defenses. Biden’s ‘Executive Order on Improving the Nation’s Cybersecurity’ represents a big step forward in the way we think about and respond to cyber threats. A key part of Biden’s instruction revolves around a concept called ‘Zero Trust’, which is set to soon become the standard in security and is cybersecurity’s biggest change in years.

Long-term access and its pitfalls

To understand what this is, we need to recognize that the basic plumbing of cybersecurity depends on the way computers trust each other, as well as the way they trust human users. After satisfying checks, like a password, a location or some other factor, such as a code sent to your phone, people, programs and systems get ‘trust’, a license to roam in permitted parts of an organization’s digital space. 

At this point, the system’s users can upload and download data, and change, move and create digital information. When security blunders happen, the amount of trust we give individuals, tasks and computer systems can mean the difference between a costly breach and a minor incident. Unfortunately, an overly generous amount of trust is quite common among the cyber defenses of many organizations. With increasingly sophisticated ransomware technology, this implicit digital trust only helps today’s hackers. They are able to dwell undetected for longer before making their move, allowing them to learn more about the systems they’ve unlawfully accessed. This situation makes less tech-savvy employees more likely to be the source of a breach without realizing, until it’s too late.

Of course, organizations can provide training to make their staff more aware of the risks. But reducing digital trust to a minimum is the most important way to lower the risk of an attack. This means that we need to widely adopt a Zero Trust approach to cybersecurity. A Zero Trust approach means that your cyber defenses never allow long-term access to information and continuously check that any access is in keeping with a strict set of policies; whether automated or user-generated. Advice on what these policies should look like has been set out by the US Government’s National Institute for Science and Technology (NIST) using guidelines that are reviewed every few years. These have been largely adopted by the UK Government, among others.

Never trust, always verify

The end goal of a Zero Trust approach is a state of never trusting and always verifying digital activity. This way, we ensure constant vigilance and reduce access to information for employees and computer processes down to a need-to-know structure. By setting Zero Trust policies, we grant access to resources and networks only when it’s really needed and remove access as soon as it’s not. This way, permissions don’t linger, denying attackers the chance to spread widely around your network.

Getting these Zero Trust policies right is a bespoke process. Every organization works differently, but there are rules of thumb. If your organization assumes high levels of trust in its approach to cybersecurity, stolen usernames and passwords can give away excessive levels of access to intruders. This quickly becomes difficult to trace, amplifying the damage they can do. With Zero Trust, an organization needs to be clear on what kind of access its users need, mapping out their identities against the permissions they require. While this process represents an investment of both time and business resources, the protection gained is immense. It prevents a small human error from snowballing into a massive, costly mistake from which it can be much harder to recover.

The challenge of secure flexible working

While transitioning to Zero Trust is important, Covid-19 has made it imperative. Traditional cybersecurity has always relied on implied trust. As an example, consider the modern office. Users physically working inside are trusted, gaining large amounts of access to resources. Anyone outside the office building is not trusted, thus gaining no access. Note that this is entirely based on their location; when they’re in the office, trust is automatically granted. With the mass shift to more flexible working patterns, this approach is no longer practical.

Security must now center on what the individual user is doing, not on implied factors like their location. After all, humans are the critical security factor. Most breaches happen because of human error, for example, downloading viruses from spam emails or giving passwords away to fake websites operated by criminals. Done well, with policies that follow official guidelines, Zero Trust saves people from themselves.

In an age of flexible working and hyperscale computing, we have the opportunity to adopt a more intelligent and flexible approach to security with Zero Trust. Organizations of all varieties can reduce the possibility of cyberattacks. In the process, hybrid working between home and the office becomes more secure, more reliable and more business-friendly, while being supported by government-backed standards. In a time of huge change and upheaval, Zero Trust represents a unique chance for progress in our digitally connected world.

Ian Collard, Managing Director, Identity Methods

Ian Collard - Founder and Managing Director, Identity Methods

Ian is a successful managing consultant and business development professional with 35 years of involvement in the cyber technology and digital security sector.