What is Zero-Trust?

Hypothetical

Here’s a hypothetical anecdote for you: That link you clicked on 2 minutes ago in the email, the one that said it was from your boss, just finished downloading and installing malicious software onto your company-owned computer. Now “your boss” is just waiting for the perfect moment to encrypt your company’s data and send you a ransom demand. They are grateful for your help, by the way. 

Fact

This hypothetical story is more true than hypothetical, and it illustrates a couple of important lessons. First – and I cannot say this enough – if that company hasn’t backed-up their critical data, they are in a serious pickle. So backup your data – there are just too many reasons not to! (Check out our partner’s awesome data management service here!)

Save Money

The second lesson is this: that company could have saved data and money if they had prepared in other ways. In 2019, you’d be crazy if you thought your company was safe from security threats. It’s much more realistic to plan for the eventual attack. It is coming whether you are prepared or not. Planning will save your company from going out of business (just like AMCA). We should all be preppers! (Or as spell check suggests, peppers. Spicy!)  One of these preparatory solutions is an idea termed zero-trust architecture. Zero-trust architecture (sometimes called a zero-trust framework) is a method of approaching the flow of information in a business in order to create a more secure network.

Zero-Trust

Zero-trust is a relatively-new term. Coined in 2010 by a then-analyst at Forrester Research, Inc. named John Kindervag, it has recently become more popular, due to the significant increase in cyber-crime since then. Because the nature of innovation is cumulative (we all want the newest gadgets), our environments become increasingly more complex, making it harder to protect and secure. Zero-trust architecture aims to simplify the complexity that innovation brings to technology by restricting access to the network of those inside and outside the network on a least-privilege basis, granted by user identity and location. In other words, employees are only given access to different parts of the network that apply to their job description. Part of this also includes monitoring your network and identifying all traffic and it’s trends. That is where the term zero-trust comes from: it means the organization does not trust those both outside and inside the network.

Outside Threats (Don’t Forget Inside, Too)

This is an accurate definition, as many threats to our businesses’ networks have already successfully found their way inside. Most businesses focus on threats outside of their systems, but regretfully forget to consider that the threats inside the network are much more deadly. Once inside, they can be impossible to detect, and the system is the fraudsters’ oyster. Zero-trust insists that everything interacting in and with the network must be verified, which means businesses have a better chance of catching the crooks. 

Limiting access is made possible by network segmentation, or the creation of sub-networks, each protected by its own firewall and separate access privileges. It’s like the phrase, “Don’t put your eggs in one basket.” This really just means that those in the accounting department are only allowed access to accounting apps and information, while the marketing department has a different sub-network that allows them access to only the required marketing tools and company information needed to do their job. 

Implementation

In the phishing example you fell prey to above, the impact of that event would be significantly reduced if the company implemented some zero-trust policies. The breach, then, would be contained to just your department, or the sub-network which you are on.

Multi-factor authentication could also be included under the umbrella of possible steps to zero-trust, the goal being to allow through only those who absolutely require it. 

Many of the fore-leading security experts are gunge-ho about zero-trust architecture, according to a Forbes Insights survey. And while it may sound intimidating, we think you should be, too! Implementing zero-trust policies does not mean you do not trust your employees, you instead are ensuring the protection of their information (and their jobs) from fraudsters by adding additional layers of security. Implementing zero-trust policies also does not necessarily mean purchasing a service (although you definitely can), but it can mean adding other simple steps to your security policies. Simply starting with limiting access to only employees who require it is a good start. From there, you can add additional levels of security, gradually making your network more secure. Before you know it, you’ll be a zero-trust pro!