Zero Trust Security
Zero Trust Security
Zero Trust is not a single off the shelf solution. It is best thought of a buzzword that describes a strategy of programs and procedures to protect a computer network.
Suppliers are beginning to offer Zero Trust Networking services; Microsoft (other solution suppliers are available) for example has mapped some of their existing services to the Zero Trust model.
The core concept of Zero Trust is that both devices and users must be authenticated before they can gain access. When access is granted that will be restricted to the level required for the required tasks. Ideally only authorised individuals will be able to access a network and will require specific devices to do so. Additionally those devices will be restricted as to what network resources they can access. Not only are the key-holders locked down but also the availability of the keys. Keeping within the same analogy, 2 key-holders with the same privileges cannot even use each other’s keys (such as approved mobile devices).
A complete Zero Trust solution will require imposing considerable restrictions on a network. In addition procedures need to be in place to ensure that Zero Trust is working. Businesses should not see this as a barrier and ignore the concept completely. By creating a Zero Trust strategy and beginning to pick off the more achievable aims the security of a network can be significantly tightened.
Biometric solutions such as Kindus discussed in passwordless solutions could be part of a Zero Trust solution. Apart from the obvious benefits of not needing to administer a password system users are restricted to the devices that they are allowed to log on with.
A first step in introducing Zero Trust is to investigate the current state of the network. Ideally the required documentation should already be in place. Any investigation should consider:
- Who are the users?
- What software and data do they need to access?
- What devices do they use to access that data?
- Where will they be accessing the network from?
- What network segmentation is possible (firewalls, routers, VLANs)?
- How can any Zero Trust solution be policed?
Having a system of rules requires some system to ensure that they all hold up. With Zero Trust there need to be systems controlling who can access what, using which devices and where they do that from. At present (2022) there are sophisticated SIEM (Security Information and Event Management) tools that will monitor this type of activity. Graphical and text summaries are provided and alerts sent out. The AI required to effectively police these systems is, however, still in its infancy. Rules can be set with related triggers and actions but optimal SIEM implementation requires appropriate system and network knowledge. People need to be in place with the expertise to understand what the SIEM solution is showing and to relate that to the expected work patterns of system users. Administrators want to be tracking potential incidents as they occur rather than searching copious historical records for details on problems that have already happened.
The UK National Cyber Security Centre 2021 guidance on Zero Trust is a useful starting point but like most of the subject literature is far from a one-stop solution. Any implementation will depend on the organisation adopting it. With our experience in computer security Kindus is optimally positioned to offer bespoke support on the journey to a Zero Trust solution.