With the global pandemic forcing many organisations to keep their staff working from home for an extended period, interest in the topic of Zero Trust has never been stronger. But while IT managers might know that Zero Trust involves confirming the identities of users and applications before access is granted, they might be less sure about how it can be implemented.
Some of the most common questions being posed by those considering adopting Zero Trust include:
- Aren’t the users and devices on my network already trusted?
Many organisations fall victim to cyberattacks because they don’t think they require layered protections to secure users and data within the network. Zero Trust methodologies exist entirely because, in today’s technology landscape, organisations must assume by default that all users, devices, and connections are untrustworthy, regardless of their location.
It only takes one lost or stolen corporate credential for an attacker to compromise an entire network. This is why multi-factor authentication with risk-based policies is crucial when adopting a Zero Trust strategy.
- Is having strong authentication sufficient?
When Zero Trust is in place users and devices establish their identity before being allowed access to IT resources. Organisations must validate their users with strong multi-factor authentication, as well as the devices themselves using protections such as endpoint antivirus and threat detection and response.
Without having both these elements in place, they might inadvertently end up allowing access to a legitimate, trusted employee who is operating on a shared and untrusted machine. Alternatively, they might accidentally grant access to a bad actor taking advantage of an unattended corporate laptop. In this time of widespread remote working, Zero Trust networks can prevent these risks by default.
- Aren’t home networks already quite safe?
It’s easy to regard the home networks used by remote working staff are safer than shared public environments. However, if you are working to adopt Zero Trust, this idea needs to be erased. The truth is home networks aren’t safer or less risky than coffee shops, airports, or other remote work locations.
There are many potential concerns, including routers with insecure default configurations, open Wi-Fi connections, and external guests. As part of a Zero Trust strategy, it’s best to treat home offices as untrusted environments at all times.
- Does my IT infrastructure need to be totally cloud based?
Because Zero Trust proponents spend significant time talking about how it works with cloud-based resources, it could be easy to think that everything needs to be placed there. This is certainly not the case.
As long as organisations have offices, they are likely to maintain critical legacy applications and shared file servers on-premises that users can only access through VPN. Even with a Zero Trust strategy, customers should consider the core network part of a broader infrastructure of business applications.
- Do I have to say goodbye to auto logins for cloud app access?
An increasing number of cloud applications allow users to log in using social media accounts like Facebook and Twitter. While this might save time and effort, it falls well outside of Zero Trust principles which are focused on managing risk.
Organisations that allow auto-logins or single sign-on for cloud services should use company-controlled credential management, such as identity providers, and trust relationships with cloud applications using protocols, such as SAML. Doing so with user-controlled credentials essentially delegates credential management to employees and exposes the customer to credential stuffing attacks and many other security risks.
Because of the significant security benefits that it delivers, Zero Trust is likely to become much more widely used in the months ahead. By understanding some of the accompanying key constraints and requirements, organisations will be much better placed to have a strategy that works. Consider how it might benefit your operations.