Zero Trust Image with computer book and computer

I was asked the other day “What is Zero-Trust security” by a friend. My answer was “the concept behind Zero Trust is highly granular control of distributed trust.” Ok not my exact words but you get the idea? No.

I don’t blame anyone for asking what Zero Trust security is, it is a very different way of rethinking security in networks, inside as well as outside. Paul Simmonds, CEO of the Global Identity Foundation, stated in an interview for in November 2018 that Zero Trust is an architectural state of mind. He says, “This is about security architecture done correctly, rather than what has happened historically, where security products have been bolted on.” If done correctly it is a “business enabler” because it enables organisations to change security quickly and securely as it combines processes and technologies, “Security is improved because it effectively blocks lateral movement within organisations.”

Lateral Movement

What does lateral movement within organisations mean? National Cyber Security Centre (NCSC) says that:

Once an attacker has gained an initial foothold in a network, they will typically look to broaden and cement that foothold whilst gaining further access to valuable data or systems.
Any credentials that the attacker collects will give them (what appears to be) legitimate access to more hosts and servers. Once the goal has been reached, data can be exfiltrated, or systems and devices sabotaged.

That is why Zero Trust should be also setup inside the firewall perimeter.

Can you get Zero Trust off the shelf? 

Unfortunately it is not as simple as buying a Zero Trust solution off the shelf, you have to design and build it. It is not an IT- only project, the business must be involved continuously, an ongoing project that is created via many stages. The good news is you can reuse what you already have, existing security, monitoring and orchestration tools (these enable automated configuration, coordination and management of computer systems).

How does Zero Trust work?

I will write about that in more detail in a later blog but for now it is an application and user-centric approach, with authentication and authorisation. The good news is that you can implement it many ways that will fit your model. Once applied it will be continually monitored and adapted.

So what is Zero Trust?

In the end Zero Trust security isn’t what its name implies, it will ultimately change everything. And, when implementing it, network infrastructure is the weakest link, so pay special attention to virtualizing and securing your network infrastructure.