Zero Trust – How to enhance your organisation’s protection against cyberattacks

The threat from cyber criminals has increased in tandem with the increase in digitalisation, and not only have the numbers of aspiring cybercriminals increased - they have become more expert too. Cyberattacks are common now and cyber security is consequently high on the majority of companies’ agendas.

The threat to companies is different nowadays and the question is no longer if but when you’re going to be hit by a cyber intrusion.

–  Ransomware attacks, where the attacker wants to obtain money through blackmail, are becoming increasingly common. And from that perspective, all organisations are now potential intrusion targets, says Jesper Blomé, Head of Security and Compliance at Iver.

Traditional security principles have primarily focused on, as far as possible, preventing external attacks on and intrusions into an organisation’s own networks and systems. The mindset has been that all of “the bad guys” are on the outside and that the answer, therefore, is to create an impenetrable perimeter shield. The problem with this type of security solution is that the resources on the inside are relatively unprotected, due to the solution’s inbuilt trust factor – everything and everyone on the inside can be trusted.  

– It’s like when you, as an employee, access the office building using your access pass, and once you’re in, you can move around everywhere unhindered because you’re regarded as a trustworthy employee. This kind of intrusion into a network can have devastating consequences because the intruders have full access to systems and data, says Jesper Blomé.

This is why a security model where “Trust” is key and trust-based access control is applied, is needed as a complement to traditional security principles. Zero Trust is that sort of complement. Chung-wai Lee, Security Specialist at Cisco, explains;

– Today’s cyber threats very seldom involve an attacker putting massive efforts into hacking their way into networks and systems: what they do now is simply log in with stolen personal data. This means we can no longer blindly put our faith in users and devices that we know. What we need to do instead is to work actively with trust-based access control in order to systematically reduce risks and potential attack interfaces.

What is Zero Trust?

Zero Trust can be described as a strategic mindset and philosophy when it comes to how contemporary IT security threats should be tackled in order to protect the operations’ most important assets – data – wherever they may be. At the heart of Zero Trust is the principle of minimum possible access in all situations. In practice, this means that all access is denied until users, devices, and applications have been verified and approved.  

Zero Trust gives no scope for built-in trust and secure zones because it is based on the assumption of “never trust – always verify”. What it is based on instead is the assumption that intrusions will happen and that potential threats exist both inside and outside traditional network boundaries. This assumption then forms the basis for the development of processes, methods, and tools to detect and manage these threats.

Rather than assuming that everything behind the firewall is secure, Zero Trust involves evaluating every single request at all times. 

It’s an approach that moves the security barrier from being a perimeter shield to something that protects every single device in a system or network.

– Zero Trust creates the preconditions for detecting cyber-attacks and ensures that you have the right tools to quickly and, above all, methodically isolate and stop intrusions when they occur, says Jesper Blomé.

On what principles is Zero Trust based?

The Zero Trust concept has developed over time and today there are a number of different Zero Trust models available, such as Jericho Forum, Forresters Zero Trust, Zero Trust x Tended, Google’s BeyondCorp and Gartners Carta.

Every model has its own interpretation of the concept, but they have a number of shared, fixed principles in common:

• The focus should be on protecting data, not on stopping all attacks (which is an impossible task)
• All networks (private, public, and clouds) are “hostile” and should be regarded as insecure until proven otherwise.
• External and internal threats are ever-present and everywhere
• No access should be given until users, devices, and applications have been verified
• Authorise and encrypt everything (data, transactions, and flows)
• Trustworthiness changes and should, therefore, be assessed continuously
• All activities shall be logged/monitored

– Zero Trust, as a model, comprises a sound requirement framework and even if there are currently no organisations or tools that can fulfil all of these requirements, we can work towards getting as close as possible through a variety of different compensatory controls (both manual and technical), says Chung-wai Lee, Security Specialist at Cisco.

How can Zero Trust be implemented in practice?

Applying Zero Trust involves looking at all networks and systems within an organisation and questioning all built-in trust. Practical examples can include implementing multifactor authentication during log ins – but can also involve looking at parameters relating to the connecting device.

– It’s interesting to look both at from where the device is connecting and at whether the enquiries follow the user’s normal patterns. It’s not, for example, reasonable for a single user to be connecting from Sweden at 10 am and from China at 11 am, says Jesper Blomé.

 Another example would mean that users are no longer given permanent administrative access and are, instead, required to submit a specific request and be given access only for a limited period – every time. This ensures that access is continuously tested.  

How do you implement Zero Trust within your organisation?

Transitioning to a Zero Trust approach involves a transformation in the mindset of the entire organisation, according to Chung-wai Lee, Security Specialist at Cisco;

– The key, at the start, is getting the operational management people to understand what the objective is and why a Zero Trust strategy needs to be incorporated into the organisation’s digitalisation process. It’s also important that everyone involved understands that this is a gradual journey over time because Zero Trust is a comprehensive strategy involving both technical systems and methodologies.

Jesper Blomé says that the employees who are responsible for IT issues within an organisation need to look at the concepts on which Zero Trust is based and examine how they can be implemented in every single area – networks, systems, and clients.

– How do we achieve “never trust – always verify” for our network? Which of our systems that should have multifactor authentication do not have it? And how do we log and monitor events to see if an intrusion has occurred (and where it is occurring) – and where have we developed our ability to handle this kind of threat? 

There are many aspects to Zero Trust, and even implementing individual aspects makes a big difference.  

– When it comes to cybersecurity, you’re never done. It’s a continuous process that you have to keep on top of at all times, so you shouldn’t panic just because you can’t do it all at once. Every organisation should prioritise measures in the areas where they will make the biggest difference, based on where they’re starting from, concludes Jesper Blomé.