Trust no one – the rise of Zero Trust

Zero Trust is very topical and most IT vendors and analysts will tell you it’s something that you need to address. So, what is Zero Trust, why is it better and how do you build it?

What is Zero Trust?

Zero Trust is a simple approach to security – trust no one. In other words, don’t assume the same user logs in from the same device at the same location every day because that’s an assumption that can be compromised. Think of it like the physical security in an office - you need to show the security guard your staff ID badge every time you want to enter the building, even though you’ve already done it every working day since you started there – that’s Zero Trust, continuous identity verification and access control.

So how do you trust a user attempting to login on a device? You challenge them to verify their identity and then policy-control what they have access to.

The key to Zero Trust is to make it a blanket approach to all users and devices, whether they are in an office or remote.

Why is it better than before?

It’s not necessarily better, Zero Trust is a security approach that has evolved as our working patterns have changed. For over a decade now, office workers have been bringing personal devices to work, which they expect to be able to connect to a network and gain access to services. Working from home has also been gaining popularity but clearly the recent global pandemic challenged organisations to enable entire workforces to be able to work remotely.

These scenarios show that you can’t take the legacy approach to security of building a castle with high walls, a moat and a drawbridge to keep bad actors out. This no longer works when users bring personal devices through the castle defences or when users work outside the castle walls.  

How do you ensure that all users and devices are who they say they are and that there are no bad actors in play? You trust no one.

Zero Trust is the result of an adapted approach to security to cater for the modern workforce.

How do you build it?

There are 3 core elements to consider for a Zero Trust approach – users, networks and apps.

Users need to have their identities verified before granting them access to services, regardless of whether they are working locally or remotely. A simple username/password combination is open to compromise, so a more robust mechanism is required – multi-factor authentication (MFA). MFA enables additional sophisticated methods of user verification on mobile devices, including the use of passcodes and passwordless techniques, such as biometrics. Logicalis partners with the market leading vendors in MFA to build robust user verification solutions and managed services for our clients. Our partners include Duo, Microsoft and Citrix.

Networks provide access to services but are also there to deny access to services that a device (including IoT) is not permitted to access. Software-defined access (SDA) leverages software-defined networking and micro-segmentation capabilities to deliver this. Software-defined networking has a control plane where device identities can be classified and verified, then access policies can be centrally enforced across the whole network fabric (wired, wireless, cloud) based on the device classification. Micro-segmentation allows network segregation between users, devices and applications – limiting the attack surface of bad actors. It also enables the dynamic network isolation of bad actors in response to real time threats, such as failure of an identity challenge. Logicalis is a Global Cisco Gold Partner and a specialist in delivery of SDA networks from the market leader in this space.

The final consideration for Zero Trust is the application. The two controls we can apply are least-privilege access and micro-segmentation. Access to any application will be controlled by MFA, here we are concerned with ensuring that any user is only given enough privileges to perform their tasks and that all applications are segregated from one another. Least-privileged access is configured using the roles-based access controls (RBAC) for each application. Most modern applications have pre-defined roles which have set recommended levels of access restrictions, to make this process simpler. Micro-segmentation segregates each application’s sets of systems from each other, limiting the attack surface of bad actors again. Communications to and from segregated applications are centrally controlled by policies, not by the traditional route of Access Control Lists (ACLs) manually configured on all network devices. Centrally controlling communications via policies means that applications can be deployed anywhere (on-prem or cloud) without any manual management of ACLs required. Logicalis partners with Cisco and Microsoft to deliver micro-segmentation across data centres and clouds.

Conclusion

Zero Trust is an evolving approach to secure the modern organisation. It has gained adoption in many organisations in the last 18 months, not just to secure the stay-at-home workforce but to secure the future hybrid workforce.

The principles apply to any user, any device and any application – whether you want to secure access to your user apps (on-prem or cloud-based) or IT apps (e.g. infrastructure management, data protection, etc).

To discuss your journey to Zero Trust, why not get in contact and talk to us here at Logicalis.