January 29, 2020
In the past 10 years, the network has changed. And security has changed. Both consumers and businesses consume and utilise cloud services. We’re all mobile, utilising multiple devices from multiple locations. Which in turn kicked off an explosion of very real security risks. First coined in 2010 by an Analyst at Forrester Research Inc., a Zero Trust Network provides a new approach to network security, fit for today’s complex cloud/mobile/hybrid networks.
So what was wrong with the ‘old’ approach to network security?
Zero Trust Networks – an overview
Firstly, a Zero Trust Network is not a specific technology or service. But rather a holistic network security approach, where every person and device trying to access resources requires strict identity verification – whether seated inside the network perimeter, or outside.
To put zero trust security into context, traditional network security adopts a “castle-and-moat” principle. Everyone inside the “castle” is trusted (by default), with the “moat” making it hard to gain access from the outside.
With a Zero Trust Network, by default, no one is trusted – whether they are inside or outside the network. In order to gain access to network resources, verification is required – typically with Multi-Factor Authentication (MFA).
What’s the problem with a “castle-and-moat”?
The primary problem is that with a castle, once an attacker has scaled the wall (unpatched software), or broken a window (hacked password), they have a free reign to walk around unchallenged. How many times have you heard hackers state that they’d been inside the network for more than 6 months – undetected (as with Travelex)? Today’s corporate network is not a castle. Data is both in the data centre and the cloud. Employees access data from multiple locations, using multiple devices.
Security challenges
So today, it has become much more difficult to both manage and maintain network security controls. With the advent of 5G, this will only accelerate the change. The burden therefore falls on IT to protect an increasingly complex and porous security perimeter, perhaps supported by security monitoring technologies (SIEM) and a dedicated security team (SOC)to detect and isolate unauthorised activity.
What is a Zero Trust Network – just a “new” approach?
Rather than just harden your security defences, a Zero Trust Network assumes that no users or devices should be automatically trusted. A principle of least privileges ensures only the minimum level of access required is provided to an individual. Access is only provided to the permitted files, applications, or services – on an individual, granular level. To explain the difference… Consider when you visit a company.
Traditional “castle-and-moat” security |
Zero Trust Security |
You visit Reception and they assign you a “visitor” pass.
After a quick freshen up in the bathroom, you give yourself a guided tour of their offices. Of course, the server room is (probably) locked, but you can freely enter any room, talk to anyone, sit down at any PC. The only question is whether any ‘security-minded’ individual challenges you? |
You visit Reception and they assign you a “visitor” pass, uniquely identifying “YOU”. Your pass provides granular access to specific rooms, facilities and services. Which, as a visitor, does not provide much access at all!
Wherever you wandered in the building, the door would be locked, unless you entered the specific meeting room you had been given access to. And in that room, you would be only able to access the services you had been granted. |
Zero trust provides an additional layer of protection – and a better fit for today’s cloud and mobile-enabled networks, which are in their nature, much more complex, porous and harder to protect.
The importance of identify & device management
With so much emphasis placed on a verified user identity, it is natural that Multi-factor authentication (MFA) is also a core value of Zero Trust Security to provide sufficient evidence that the user is who they claim to be. In addition to Identity Management, a Zero Trust Network also requires strict Device Access Management, to ensure only authorised devices are used.
The 10 principles of a Zero Trust Network
“Remove inherent trust from the network, treat it as hostile and instead gain confidence that you can trust a connection” – NCSC, November 2019. www.ncsc.gov.uk/blog-post/zero-trust-architecture-design-principles
Firstly, to summarise:
- A Zero Trust Network assumes there are attackers both within and outside of the network – No users or devices are automatically trusted.
- A principle of least privileges. Users are only given as much access as they need, minimising exposure to sensitive parts of the network.
- Granular micro-segmentation. Zero Trust Networks break up security into granular zones to limit access.
Zero Trust Network principles
- Know your IT architecture, including users, devices, and services.
- Create a single, strong user identity.
- Create a strong device identity.
- Authenticate everywhere.
- Know the health of your devices and services.
- Focus your monitoring on devices and services.
- Set policies according to value of the service or data
- Control access to your services and data.
- Don’t trust the network, including the local network.
- Choose services designed for zero trust.
The journey to a Zero Trust Network may seem like a sizeable change from established strategies. A number of security technology providers are already supporting Zero Trust principles, often using Multi-Factor Authentication (MFA) and Identify Access Management (IAM), as well as implementing micro-segmentation in parts of their environment. But Zero Trust isn’t just about implementing individual technologies. Zero Trust is a new way of thinking, requiring an on-going strategy. And as such, is more of a journey than a destination – but a worthwhile journey, nonetheless.
Take the next step
CyberOne are the UK’s leading Zscaler partner, providing fully managed services and 24/7 support to our clients. No one knows Zscaler like CyberOne does. Our dedicated team of experts are always on hand to answer any questions you may have. Contact us today…
Related articles:
- Zscaler introduction to secure cloud transformation
- 10 reasons why security is moving to the cloud
- 8 most common cyber attacks explained
- How often should you audit your cyber security & who should do it?
- Pros and cons of outsourcing your cyber security: In-house or Managed SOC?
About CyberOne
CyberOne is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC). Located at the heart of a high security, controlled-access Tier 3 data centre, CyberOne’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.