A well-functioning society is based on trust between people - in the authorities, the workplace, the police and the healthcare system, etc. but also trust in data, applications, devices and systems. If you lose trust in the data technology elements, their use will decrease and digitalization will stagnate.
Transferring emotional trust to the digital world is problematic and is a vulnerability that can be exploited. Trust in digital systems should be severely limited, and verification should be used both on the way in and out of critical systems.
Operate as if someone is on the inside and you are compromised!
Zero trust was developed by then analyst at Forrester Research Inc, John Kindervag, in 2010.
Successful attacks happen in permitted traffic
There are many good reasons why your company should use Zero Trust. Digital attacks are happening more and more often, even in companies that have invested significant funds in security equipment. Attacks can include, among other things, disruption of operations, data leakage or alteration of data. Traditionally, the focus has been on attacks happening from the outside and into systems. The attackers know this and find other ways into the systems, for example via email, VPN, RDP, Citrix, exploitation of vulnerabilities or rogue servers. If they find these vulnerabilities, the path to critical data and systems can be short.
For the vast majority of companies, data going astray will be very serious, whether it happens internally in the organization or outside. In recent years, many companies have adopted cloud storage for storing sensitive data, among other things. This makes the requirements for visibility, monitoring and control even greater. Mindsets and strategies must change to be better equipped to deal with these new threats. Attackers are constantly evolving. The defense must also be.
Think security from the inside out
This type of strategy is based on never trusting anything, either externally or internally. This applies to IT components such as PCs, phones, servers, IoT etc. If an intruder finds a weakness in the system, there is a good chance that they can access critical data. Access should therefore be granted after verification, based on the fact that access is absolutely essential for someone to do their job (principle of least privilege).
In combination with such an approach, it is recommended to carry out a ROS (risk and vulnerability analysis) to map your assets, risks and vulnerabilities. Job prioritization is based on this result.
Access control is done for risk-assessed elements based on the following criteria:
Zero Trust is recognized for its thorough access control that is carried out for permitted traffic to reduce the attack surface to an absolute minimum. To reduce the likelihood of data leakage, outbound security will be key. Therefore, outbound access control must be carried out in the same way as inbound. Full inspection of all permitted traffic, both ways, which will require SSL decryption, as well as logging of all data traffic, is central to this type of strategy.
Never trust, always verify.
Zero Trust is a cybersecurity strategy that focuses on protecting data and resources, wherever they may be.
Zero Trust alone is not a guarantee of not being hacked, but makes it as difficult as possible to compromise an entire infrastructure.
Elements of Zero Trust:
External and internal threats exist on the network all the time
Network location is not enough to build trust
All devices, users and communications are authenticated and authorized
Rules must be dynamic, and formed from as many elements as possible
Successful attacks happen in permitted traffic. The success of Zero Trust depends on consistent logging of all traffic, from both external and internal sources. By continuously monitoring user behavior, it will be easier to detect any security threats.
Netsecurity is a total supplier of security solutions and aims to be one of Norway's leading suppliers of cost-effective and timely solutions in security and data communication.
Alongside Zero Trust, we deliver complete security installations with traditional perimeter security, data center security, cloud security and new innovative endpoint security tools. Zero Trust has been in focus for a long time and has been central in our communication with customers for a more secure everyday life by changing the status quo to adapt to today's threat landscape in a much better way.
Jens Elmholt Birkeland
Our goal is to help make Norway more secure and to be one of Norway's leading providers of cost-effective and timely IT security and infrastructure solutions.
Feel free to contact us for more information about how Zero Trust can benefit your business!
