“Never trust, always verify”.
That’s the philosophy at the heart of Zero Trust network security.
While it may sound overly cautious, (and perhaps even a little hostile), that’s part of the reasoning behind the Zero Trust model in the first place. With this approach to cybersecurity, nobody gets a free pass – even those already situated within the network perimeter.
In practice, Zero Trust network security involves no single technology or resource, but rather it’s a methodology for governing cybersecurity policy – and keeping your business safe.
In this Get Support Plain English guide, we’ll dive into the detail of Zero Trust, find out where it all started, how the methodology really works, and how you can use it to boost your cybersecurity.
So let’s begin.
What is Zero Trust network security?
In the simplest of terms, Zero Trust network security is a cybersecurity model which requires all users – within the perimeter of an internal network and outside of it – to have their identification verified and authenticated before being granted access. This includes accessing files and information once inside the network.
That’s the elevator pitch, but let’s get into the detail.
First, let’s try a little visualisation.
Imagine yourself in a lovely garden, full of flowers and birds chirping. Now imagine that garden is surrounded on all sides by a near-impenetrable brick wall. That’s your internal network – your “walled garden”.
The problem with traditional IT security is that, once someone manages to get through that wall, they have access to everything: all of your flowers (files), all of the birds (data), and all of the bees (financial records).
Zero Trust network security works like a doorman, guarding both the entrance to the walled garden and all the resources inside.
Before anyone is allowed to step a single foot in your walled garden, they must first show their ID to the bouncer to confirm their identity. Even once they’re inside the walled garden, if they try to pick a flower (access a file), they’ll need to once again confirm their identity with the bouncer.
It’s a heavy-handed approach, but it’s secure, and it’s safe. It’s also getting more and more important as businesses move more towards cloud-based solutions and away from local software installations.
This increases what’s known as the ‘surface area’ – essentially, that represents how many potential access points a hacker has to your network. The more you move away from local solutions, the less control you have, and the more beneficial a Zero Trust approach becomes.
How to implement the Zero Trust model
Because Zero Trust is more of a philosophy than a specific technology, there’s really no one-size-fits-all solution for implementing Zero Trust in your business.
That said, because Zero Trust can be applied in different ways, you actually have several options in terms of how you bolster your security via this model.
Here are a few of the ways you can leverage the Zero Trust methodology in your business network:
Multi-Factor Authentication (MFA)
MFA is at the very heart of Zero Trust. Available in a number of different flavours, Multi-Factor Authentication essentially requests that a user verify their identity by at least one additional method outside of their password. 2-Factor Authentication (2FA) is perhaps the most common variation of MFA, often used in combination with a smartphone either via text message or push notification to verify the user for login.
While it may sound counterintuitive, one idea which is gaining traction in the world of the Zero Trust model is passwordless credentials. The best example of this concept in action is FIDO2, and is best described as an evolution of MFA without the need for a password. This reduces friction and makes the Zero Trust experience that much faster and more efficient for work. Instead of passwords, FIDO2 relies on either cryptographic authenticators (such as your fingerprint or face scan), or external authenticators (such as physical FIDO keys or smart device).
Microsoft Intune for mobile devices
If you want the flexibility of allowing staff members to use their own smartphones and mobile devices, but still retain the security delivered by Zero Trust, an option like Microsoft Intune might be the way to go. Essentially, this allows users to ‘enrol’ their device with your organization and, from there, the administrator is able to grant (or deny) permissions for file access and so on. Intune can also be used to block devices it deems as potential risks – such as a rooted Android device or a jailbroken iPhone.
The problem with services in Zero Trust networks
So far, we’ve focused pretty heavily on users, and for good reason, but it’s also important to remember that services within a network must also communicate in a secure way. This is usually done via token-based API calls.
API stands for Application Programming Interface, put simply APIs allow applications and server to exchange messages and talk to each other.
Without Zero Trust security in place, it’s possible that a compromised API could be shuttling data in and out of your walled garden without you even knowing about it. But with Zero Trust, every token must be authenticated before communication between services is allowed.
What are the benefits of a Zero Trust for small-to-medium-sized businesses?
Now that we’ve got to grips with exactly what the Zero Trust model is, let’s now consider the reasons why you might want to implement it into your company’s IT infrastructure.
- Increased security. This almost goes without saying, but Zero Trust network security’s primary benefit to a business is the security it offers. While the conventional walled garden approach is acceptable for most SMEs who rely mainly on local software solutions, if your business works with sensitive data of any kind – or is beginning to use more cloud-based services – Zero Trust is almost a no-brainer. Bearing in mind that data breaches are on the rise – with 4.1 billion breaches in the first half of 2019 alone – this level of security might just become the norm.
- Greater control of data and internal assets. Our world is more connected than ever before, which means it’s getting tougher to maintain visibility of exactly who is accessing what and when. In the walled garden approach, you simply accept that internal users can access anything they like. But with Zero Trust, you have total control of your internal data, because you know it cannot be accessed without additional verification.
- Increased confidence in cloud-based services. With the rise of all-in-one productivity and cloud app platforms like Microsoft 365, cloud services are gaining more traction every day. There’s a school of thought, however, that sees the cloud as something of a security risk – and for good reason. Remote servers you can’t physically control naturally involve some level of trust, but with Zero Trust and the added layer of verification, it’s much easier to have faith in cloud-based storage.
- Enables ‘micro-segmentation’ of your user base. User permissions has always been a bit of a headache for businesses. While there are some files you want everyone to have access to, there are others which only certain employees should see. The Zero Trust framework allows you to segment your users in a very fine-grain way, managing specific users and group policies while also knowing that everyone is authenticated and verified before granting access.
Is it time your business went Zero Trust?
As you can see, the Zero Trust approach to cybersecurity is a truly holistic approach, so there’s no ‘right’ way to do it.
At Get Support, we offer a range of solutions based on Microsoft 365 and Azure AD, both of which can be configured for Zero Trust using features like Conditional Access.
If you do decide to get Zero Trust network security fully integrated with your business, you’ll benefit from a big boost to cybersecurity and – perhaps more importantly – enjoy real peace of mind. Even better, by enabling this level of authentication, you’ll be future-proofing your business as all of us move towards more of a cloud-based future. We all want to reduce friction, of course, but this also comes with its fair share of risk – and that’s what Zero Trust network security aims to mitigate.
If you’re interested in implementing Zero Trust network security, learning more about Microsoft 365 and its various Conditional Access controls, or you simply have questions about IT cybersecurity in general, call the Get Support experts today on 01865 59 4000.