Traditionally, most organisations have focused on having a secure perimeter in place that protects core applications and data from external attack. Those inside the perimeter are then allowed to access any resources they might require.
In a post-pandemic world, however, this approach no longer works. Many staff are still working from home and this is likely to continue for an extended period. In some cases, it may even become a permanent feature of daily business life.
For this reason, the concept of a perimeter now doesn’t make sense. Another method needs to be implemented that enables efficient access to centralised resources but at the same time keeps those resources secure.
This change in thinking has significantly increased interest in the concept of zero trust. This strategy is based on the approach that nothing on a network is trusted until its identity has been verified.
It dictates that all networks should be untrusted, least-privilege access is enforced, and everything monitored at all times. Access should only ever be granted based on identity.
In many cases, a zero-trust strategy will enable an organisation to replace its existing virtual private network (VPN) capabilities. These were designed to support small numbers of remote workers but are challenging to scale to meet a sudden increase in demand.
Putting zero trust to work
When an organisation makes the decision to adopt a zero-trust strategy, it’s important to realise that it is not some far-off state that will take an extended period to reach. Rather, as the required steps are undertaken, value can be seen almost immediately.
Early steps that can be taken include identifying the high-value data and workloads on your network that require the best available security. Next, remove redundant access permissions to ensure fewer people can interact with these digital assets.
Deploying a multi-factor authentication system is another step that will deliver quick benefits, as is the implementation of a cloud security gateway. On-device security controls should also be considered.
In many cases, organisations will find they don’t have to start the process from scratch. This is because they are likely to already have in place many of the components that are required.
These components include user authentication systems, biometric ID systems, endpoint detection and response (EDR) capabilities, data encryption, and network segmentation. These can be enhanced with the deployment of additional tools and services that, together, will create a zero-trust environment.
Another necessary step is budget allocation. From the outset, it’s important to be clear about how much money will be spend and the areas to which it will be directed.
Typically, organisations working towards achieving zero trust find that around 20% of available funds need to be directed at protecting infrastructure workloads, while 25% is earmarked for device protection.
Another 25% of the budget should be allocated for people, to support ID systems and user training. Also, 10% of funds should be spent on network security while 15% aimed at orchestration and automation. The final 5% of funds should be allocated to visibility and analytics.
It should also be noted that spending on zero trust can be offset by savings in other areas. Many organisations find they are able to reduce the total number of security tools and services they have in place which removed both complexity and cost.
Zero trust has much to offer organisations faced with the prospect of having significant numbers of staff working remotely for an extended period. By embracing the strategy now, they can also be well positioned to cope with new challenges as they emerge in the future.