Zero trust is the concept that no person, device, object, or connection should be trusted until it is proven that it should be. In the past, there was one bridge into the corporate network, and huge walls around anything of value inside. However, this means there has been an assumption that everything inside the walls was not a threat – and this has led to companies leaving themselves wide open to attacks from within.
Why do you need Zero Trust in 2022?
No matter the size of your business, the pandemic has expanded the threat perimeter of organisations across almost every industry. Cloud-based working is here to stay, and with that comes new threats. This means email and file storage applications need to be available everywhere, portable devices like laptops/phones/tablets are becoming the norm rather than the exception and third parties (SaaS, contractors, partners) need to receive, store and share sensitive data with your organisation.
Playing a game of whack-a-mole with every employee that tries to get around security controls is not the right approach. It’s a sign that security is seen as a productivity dampener in the organisation which makes it harder to start new security initiatives and convince employees to comply with and respect important policies.
Steps towards a Zero Trust framework
Our general approach to cyber security until now has been to throw technology at the problem. Instead, proponents of Zero Trust recommend embracing the strategy and processes and then leveraging technology iteratively. A strong Zero Trust framework covers identity, endpoint & data security to ensure there are no loose ends that could be exploited by attackers.
It’s important to note that Zero Trust can’t simply be ‘turned on’ and should be considered a long term transition. However, organisations can start to employ a lot of the Zero Trust tactics with minimal investment.
- Offer secure cloud storage/collaboration solutions that are easy to use and don’t hinder productivity. Regularly coach employees on which cloud solutions they should use to prevent staff from using ‘shadow’ applications that may not be protected.
- Review the cloud applications used throughout your business, and enforce Multi-Factor Authentication (MFA) or enable Single-Sign-On with MFA via your Identity Provider if you have the technology to support it.
- Disregard the perimeter approach, and instead secure endpoints anytime/anywhere to allow employees to be protected no matter when or where they want to work. Using strong, cloud-based endpoint security solutions that ideally cover host-based firewalls, web protection/visibility, application control and Endpoint Detection and Response/Next-Gen Anti-Virus. You should be able to deploy configuration, gain real-time visibility and provide protection entirely from the cloud to your endpoints.
- Passwords shouldn’t be set to expire – they encourage poor password hygiene such as writing down or usage of weak passwords. Instead, stick to high minimum character limits (14+ is ideal), remove the strict complexity requirements of symbols and coach your employees that they can “set a secure password and keep it forever”.
- Look at the native data loss prevention (DLP) controls available in your systems. If you can block data exfiltration onto unauthorised cloud apps, portable storage devices and over email, you have closed the most common data exfiltration methods.
As we’re all well aware by now, cyber security is a key factor to the success of any company. A Zero Trust framework can help a business of any size become more resilient and it doesn’t have to cost a fortune. Whilst to further improve alignment to Zero Trust, you will still need leading technology solutions to have the necessary control and visibility, by starting to implement Zero Trust processes and investing in select technologies, small businesses can begin to secure their networks to protect themselves as they grow.