As IT environments continue to become more complex, it is increasingly clear that the trust model of cybersecurity (opens in new tab) is no longer fit for purpose.
David Gochenaur is a Senior Director of Cyber Security at end-to-end managed services firm Ensono (opens in new tab).
The trust model only works when it is used by a specific small group of employees accessing an IT environment that is only on-premise. However, as the hybrid way of working becomes the norm, it is increasingly risky to trust the variety of end points (opens in new tab) to manually adhere to all authentication measures and preventative procedures. IBM estimated that over the past year, businesses that were affected by data breaches lost an average of $4.24 million. Without the correct procedures in place, a critical data breach is just one click away.
In the face of these challenges, many organizations around the globe are turning towards Zero Trust architecture. A notable example of this can be seen in May of 2021 when the President of the United States, Joe Biden, issued a mandate dictating that all federal agencies, such as the FBI, would have to align with Zero Trust architecture.
What exactly is Zero Trust?
Zero Trust is a cybersecurity model which utilizes constant identification and authentication across device, identity, and user, before any access to data is provided. This is done to ensure that sensitive data remains unexploited even if a bad actor has gained access to a certain IT environment. Through constant authentication, trust is essentially eliminated from the cybersecurity risk equation and nullified as a vulnerability.
The effectiveness of the Zero Trust model relies as much on behavioral and cultural elements as it does on technological changes. The greatest risk to an organization cyber safety is human error. There needs to be an enormous cultural buy-in within a business to mitigate the risk from human workers.
Remote working and the Zero Trust model
Bad actors have taken advantage of the enormous number of vulnerabilities that come about because of employees (opens in new tab) accessing data and work systems from home. As such, cybercrime has multiplied hugely since the beginning of mass remote working (opens in new tab). It is now considered the most prevalent crime within the United Kingdom. 2021 saw cybercrime rise 7.5% on the previous year, as the UK’s National Cyber Security Council (NCSC) dealt with a record 777 cyber incidents.
It has also become very difficult for businesses to implement a standardized cybersecurity strategy. This is brought about due to the different hosting (opens in new tab) services that companies use to ensure that they can keep up with the demands of the working world. Security protocols often vary between providers, hindering the process of delivering a meaningful, uniform security strategy.
The Zero Trust framework
Zero Trust is an authentication model that can be used across all IT architectures. It is cost-effective, and it does not see conventional network perimeters. Zero Trust creates a cyber defense framework that is perfectly suited for remote or hybrid working (opens in new tab), as all end points, local infrastructure, and cloud services are all set within one model.
When a user looks to access data (opens in new tab) or an application held on a company network, Zero Trust dictates that authentication is required at every stage. This policy assesses the risk presented by the user attempting to access the applications (opens in new tab) or data, and decide whether to grant or deny access. When putting this into action in your business, the UK’s NCSC has a superb roadmap to follow. It explains how companies should work on the principle that “the network is hostile” and only grant access based on a holistic set of factors. These factors include user location, device health, the identity of the user, and the user's status within the organization.
As one can imagine, constant verification requires businesses to dynamically monitor user access in real-time. This can be a time-consuming process for an organization. Luckily, there is an enormous amount of innovation going on within this space to address these challenges. Many of the market-leading solutions use automation to streamline this process, freeing up IT teams to focus on more value-added activity elsewhere.
Fundamentally, the key features of Zero Trust reduce business vulnerability to the most damaging cyberattacks. We should not forget, The Colonial Pipeline Attack started with a single piece of compromised data. Constant authentication in Zero Trust puts more barriers in the way of a bad actor, giving IT teams a longer period of time to flag and shut down access privileges for a hacker – all before the bad actor has gained access to sensitive system across the business. The message is one of damage limitation and containment, stopping the exploitation of a small vulnerability from spiraling into an insurmountable problem.
Why Zero Trust needs people
For Zero Trust to truly work, a cultural shift needs to occur as much as a technological shift. As mentioned before, human error is the largest risk facing a business (opens in new tab) and its cybersecurity. So, if we are to address this problem, behaviors need to change.
There needs to be wholehearted buy-in from employees for the model to work. If just one employee glazes over an authentication feature, the Zero Trust model could be rendered ineffective and a massive data breach could occur.
The holistic requirements of Zero Trust are built on consistent communication and training. Individuals already engage with authentication procedures like Multi-factor authentication within their job, thus they understand the importance of these processes within a business. All it takes is regular education and messaging from the IT function to tap into that familiarity, and ensure the long-term success of Zero Trust.
Zero Trust should not be a hardship for employees, but a powerful call to action for everyone to play their part in the cybersecurity of the business. Employees play a huge role in preventing cybersecurity incidents, and their active engagement is critical at fighting back against these bad actors. Zero Trust should not be about distrusting employees – it is about empowering them.