In 'zero' we trust: taking a Zero Trust approach to security

The COVID-19 pandemic has tested every organisation’s ability to rapidly pivot to new ways of working and maintain business continuity, while navigating a significantly expanded cyber threat surface.

The mass shift to distributed working environments has led to a dramatic increase in remote devices and users connecting to corporate networks. As businesses struggle to define the exact perimeter of their networks, traditional perimeter-based approaches to security have become less effective. Every time a network automatically trusts a mobile device or remote user, for example, it puts the organisation’s infrastructure and data in a vulnerable position.  

Today, a static trusted state can never be assumed. 

"We can no longer take for granted that we have a secure workplace, workload or workforce, which is why many businesses are turning to Zero Trust frameworks."

What is Zero Trust?

Taking a Zero Trust approach to security revolves around the notion that organisations should not automatically trust anything outside or inside the network’s perimeters, and instead should continually verify everything. This verification can occur through a number of methods such as multi-factor authentication (MFA), known endpoints and by implementing the concept of ‘least privilege’ for users on the network within each application. Even if a device or online entity has been trusted in the past, verification processes should take place each time they connect to the network.  

A Zero Trust framework can therefore be described as an overall security strategy, rather than a concrete solution. It helps businesses to ensure they are taking a layered approach to security and are continually authenticating users and devices, while also reducing negative impacts on operations and user experience. 

The concept of Zero Trust itself is not new, but it has returned to headlines following a number of recent supply chain attacks - such as the recent SolarWinds and Mimecast attacks. When we factor in the various supply chain risks and third party threats at play here, we are left with an environment where even previously trusted sources have the potential to be compromised. This, combined with the move to remote working and accelerated cloud use during the COVID-19 pandemic, has led to a renewed focus on the necessity of the Zero Trust framework. 

Current threats to the network

Network security has been severely impacted over the last year – and Zero Trust is key for protecting against the various tactics used by cyber criminals. 

Distributed denial of service (DDoS) attacks continue to pose threats to networks, including corporate networks. In many cases, the network itself is being used to propagate risks inside the targeted organisation. Not only that, hackers are using the Domain Name System (DNS) to amplify attacks, which can be against an organisation’s infrastructure or the applications that it is trying to use. 

In terms of wider threats, email remains a strong vector for malware. As phishing attacks become ever more convincing, we’re applying detection techniques, such as Network Detection and Response (NDR) and NetFlow data, to the network to identify the anomalous behaviour. This is especially crucial given that many attacks use protocols that we rely on for normal operations, such as DNS. Limiting phishing, however, relies not only on technology but also on human nature due to the levels of information purported to be about the pandemic.

The supply chain is likewise a big risk vector. We’re only as good as our weakest link, so it’s vital to assess third parties to ensure their security practices and controls meet your security standards. 

Zero Trust in network security

Network security and Zero Trust go hand in hand. While we’ve been using segmentation and access controls across networks for many years, what’s changed recently is the ability to implement and manage that fine grained network access in a more integrated way. 

The segmentation and trust model has also extended outside the network boundaries. Within distributed workforces, the network consists of much more than our in-house infrastructure and Internet connections. As a result, trust and verification needs to be considered across the entire network, from the edge device to the cloud, applications and data. 

This is particularly key when we look at the methods used by organisations to ensure business continuity amid the pandemic. Organisations have responded by deploying MFA, VPNs and adopting cloud-based collaboration tools. Yet, we are still fighting a battle with enabling employees to securely access to data without losing user experience. 

Zero Trust’s principle of “never trust, always verify” helps to safeguard every point of the network by providing the access that is required, while at the same time limiting the risk of that access being abused. 

The increase in remote and hybrid working is here to stay. Current discussions around the modern workplace are, in turn, having an impact on what is needed from the network. For example, businesses are reconsidering where data and applications are stored, and reassessing the risks of data being misused or stolen. 

Implementing a Zero Trust approach

There is no silver bullet to implementing a Zero Trust architecture, but building a structured approach encompassing identity management and networking security controls is a good starting point. In addition, secure access service edge (SASE), enables businesses to bring together many of the security controls which assist with the move to a Zero Trust model. 

Integrating a Zero Trust framework can help to remove a lot of the guesswork involved in protecting an organisation’s network and infrastructure. This will ultimately allow for resiliency in network defence, providing a superior way to address unprecedented and unanticipated threats.

At the end of the day, trust is critical to ensure a strong network security posture, so we need to verify and keep verifying. 

Rory Duncan, NTT