Yahoo. Equifax. The Department of Homeland Security. Uber. Heathrow International Airport. NHS.
The one thing all of these organizations have in common is that they have all suffered a data breach or security incident of some kind, either through employee negligence or through the machinations of a bad actor. It’s an unfortunate reality of doing business in today’s world — and it’s one that requires a new approach to cybersecurity to address.
“Zero trust” is arguably a critical foundation of that approach. Devised by former Principal Forrester Analyst John Kingervag, “zero trust” is a security concept founded on the belief that nothing can be trusted. Regardless of whether network traffic originates inside an organization’s security perimeter or on the outside, it must be verified before it’s given access to anything.
However, most organizations and their IT department are still stuck with their old way of thinking — with what CSO Online terms the ‘castle and moat’ mentality. This approach to network security sees an organization focused entirely on keeping intruders out of their security perimeter, without much thought as to what exists beyond, or within.
The reason that’s a problem is twofold. First, traditional security perimeters don’t exist anymore. Not as we remember them at least.
People can now access and work with critical files from virtually anywhere. What’s more, vendors, contractors, and business partners all over the world have access to corporate data. Not all of them take cybersecurity as seriously as they should, and if you’re stuck with a traditional cybersecurity model, you’re essentially playing with fire.
Mind you, that has less to do with “zero trust” than the second issue. Namely, if your systems are configured to automatically trust all internal traffic, all a hacker needs to do is gain access to those systems. From there, they’ve free reign to do whatever they please.
So how exactly do you implement a “zero trust” approach to your infrastructure without alienating your staff and making their jobs impossible to do?
- Understand your data. Know what data you need to protect, where it’s located, who has access to it, and who needs access to it. Know how that data moves and flows through your network, and how it moves into and out of your security perimeter.
- Look at how your network functions. How do transactions flow across your network? How well do you monitor network traffic, and what rules do you have in place for when an application or user encounters something unexpected?
- Implement strong authentication. Do you have MFA (multi-factor authentication) in place? Identity and Access Management tools? Granular permissions?
- Enforce the Zero Trust mentality. You need to enforce the idea that no one and nothing should be given access to sensitive data unless they can be authenticated. You need to make this part of your corporate culture, especially in IT, where most professionals trust their internal environments implicitly.
- Ditch the legacy architecture. With few exceptions, old infrastructure is not well-suited for “zero trust” — that’s because for this approach to actually work, its systems generally need to be built from the ground-up rather than retrofitted.
We face more cybersecurity threats than at any other point in history. We need to be ready to tackle them. A “zero trust” approach to networks and systems is a good first step, and now you know how to begin to incorporate it.
Tim Mullahy is the Executive Vice President and Managing Director at Liberty Center One, a new breed of data center located in Royal Oak, MI. Tim has a demonstrated history of working in the information technology and services industry.
The opinions expressed in this guest contributor article are solely those of the contributor and do not necessarily reflect those of Cloudbric.