Zero Trust Strategy - Security model

Business Continuity 09.08.2021

A Zero Trust strategy to protect against security incidents

The growing number of mobile devices, working from home, the Bring Your Own Device trend, and, last but not least, SaaS and cloud services mean that, as an organization, securing a few applications is no longer enough. After all, the IT department has less and less control over access rights and the health of applications.This calls for a different approach to security – and more and more companies are opting for a Zero Trust model. Zero Trust strategy helps you tackle the security challenges of the modern workplace.

In this blog post, you can read more about the current security challenges, how a Zero Trust strategy can help you, and how to start implementing it.

The biggest security challenges

Securing systems, data, and employees in the workplace is becoming increasingly difficult – partly due to the increase in SaaS applications and devices. After all, they increase the attack surface.

SaaS applications

The growing number of SaaS applications means that the IT department has less oversight and control over the infrastructure. Research conducted by McAfee shows that the average employee at an American company uses 36 different SaaS applications every day. And the companies themselves use no fewer than 1,900 different cloud services. In the Netherlands, too, the number of SaaS applications has been gradually on the rise in recent years. This exponential increase makes the monitoring and securing of applications complex.

Different devices

Besides the dramatic increase in the use of SaaS applications, more and more mobile and personal devices are being used. In the past, employees only needed access to work applications when they were actually ‘at’ work, but today’s situation is completely different: working from home is much more common, which means that security requirements are also changing.

Simply using a secure VPN to connect and authorize access to the corporate network is no longer enough. The IT department must ensure that the employees’ laptops or PCs are sufficiently secure, but also that the data is well protected when employees work on a mobile device or their own laptop. All the while ensuring that the organization’s compliance rules are observed.

Increased security risks

The more applications and devices your organization uses, the greater the attack surface for malicious parties. Employees who use weak passwords or devices that have not been updated pose a security risk to the company. Once a malicious party has access to a single device or application, they can theoretically penetrate deeper into the corporate network. The more complex it becomes to adequately monitor all apps and devices, the slower threats are detected and the greater the risk of malicious parties gaining possession of valuable data. A Zero Trust policy can help organizations mitigate security risks.

What is Zero Trust?

A Zero Trust policy is designed to implement endpoint security. An endpoint is a device such as a laptop, tablet, or mobile phone that connects to the corporate network. The policy focuses on strong authenticity and identity checks and trusted devices and endpoints, which means that companies have tighter control over access to data and systems. The main principles of Zero Trust:

– Never trust, always verify. Don’t allow just anything to access your network. If you can’t verify every IP address or device, you can’t guarantee network security.
– Grant access based on the identity and device of the employee requesting access, regardless of the network they are using. Not only do you need to be sure that the employee is who they say they are, but you also need to be able to verify that this person has legitimate access to certain data.
– Access to company-sensitive information is dynamic and something that must be continually verified. In a Zero Trust policy, consistent authentication and authorization is essential for maintaining secure systems.

Read also: Current security trends

So, what exactly does a Zero Trust strategy consist of?

A Zero Trust strategy is based on three components:

  1. Identity & Authentication

All Zero Trust policies are underpinned by a continuous assessment of whether individuals should have access to company resources. Effective authentication is therefore indispensable. As is a high-quality user database that integrates with all software used within the company and allows you to define user profiles and roles. Such a user database can be used to establish many things in advance, such as access to applications and data according to a group profile.

But this user database also serves as a central system through which users can authenticate themselves. You can then use methods such as Single Sign-On (SSO) two-factor authentication to verify users’ login details. It is particularly important for companies using SaaS apps to have a central user database. After all, the data in a SaaS app is vulnerable unless access is limited to an endpoint that you can control. A lot of Identity & Access Management software makes this possible and integrates on-premise software with SaaS applications, so you can manage user profiles and groups from a single location and be 100% sure that the right people are getting access to the data.

  1. Device Authentication

When it comes to device authentication, it is also useful to use a centralized database to manage devices that access corporate networks and information. This can be done using an asset database, which verifies the owner of a device, supplemented by a posture assessment. This checks all compliance rules before a device is granted access to systems and information.

It is therefore important that each device has a unique identity that is checked before the device is granted access. One way to do this is through a public key infrastructure (PKI), which creates certificates and links them to each unique device. You can then use different security levels for different devices and specify how the devices will be monitored.

  1. Access Management

Once you know which people and devices are allowed to access business applications and information, you can use access management to manage access. Access management is all about defining and applying security policies. The unique think about Zero Trust is that users only have access to the bare minimum they need to perform their job. And by giving an employee minimal access, you significantly reduce the attack surface. So, if an attacker does get their hands on an employee’s login credentials, it’s a lot harder for them to penetrate deeper into the network since the employee’s user rights are limited.

Conclusion

Implementing a Zero Trust policy is no easy task, and it can take a lot of time and effort to do it successfully. According to an IBM study, the average data breach costs a large corporation around $3.92 million. And since the increasing volume of data, networks, devices, applications, and work locations is making the workplace increasingly complex, a Zero Trust strategy is becoming almost indispensable for keeping that workplace secure.
Want to know more about Zero Trust policies and Microsoft 365 and discover the other possibilities for providing your employees with an innovative and secure workplace? Feel free to contact us. We’ll walk you through your options.

 

Newsletter

Keep up to date with the latest news (in Dutch).