The concept of the zero-trust security model has been around for more than a decade, with its roots in a 2009 paper by Forrester Research. Since then, it’s been an ongoing hot topic, especially during the global pandemic when companies rushed to embrace remote work and SaaS services. Yet even now, many companies struggle to understand what zero-trust means and how to implement it.
At the most basic level, we never assume trust and verification is required from anyone or anything trying to access resources, no matter where they come from. To use an analogy, to enter a business building, a user must provide evidence of identity (employee ID card) and business purpose to enter the building and again to access to a specific office.
Throughout the visit, a company will monitor the user to ensure they don’t wander into off-limit areas of the building. In the same way, the core principles of zero-trust are to verify the identity of users and devices and continuously monitor their behavior, even when they are inside the corporate network. This approach helps organizations create a more resilient security posture to prevent, mitigate, and contain security threats by not relying solely on hardened perimeter defenses.
Think of zero-trust not as product, but as a security framework and mindset organizations adopt and implement using various technologies, such as multi-factor authentication, identity and access management, encryption, and monitoring.
The principles of a zero-trust model include:
- Verify identity: Every user, device or service trying to access resources must be authenticated.
- Least privilege access: Users, devices or services should only have the minimum level of access necessary to perform their tasks.
- Explicit access policies: Clearly define and enforce access policies based on the principle of least privilege.
- Continuous monitoring: Regularly monitor and analyze behaviors to detect potential threats.
For larger companies, the challenge often lies in the cost and complexity of deploying and integrating various security technologies and processes, as well as needing to retrofit older legacy systems that were not built with zero-trust requirements in mind. Retrofitting may require updates to legacy firewall rules or network segregation to achieve micro- segmentation.
Smaller companies often lack education and awareness among the top stakeholders. The business first needs to invest in understanding use cases for accessing their data and systems, then may face resistance to the friction caused by the added security controls and processes.
Organizations need to start simple and show business value as soon as possible. Here are four ways to get going:
- Know the company’s assets: Understanding what the company wants to protect and its criticality is the foundation for vulnerability management, configuration management, data and device protection, and zero-trust programs.
- Protect all assets: What does an attacker see when they look at the business? Can they easily find open web ports, unauthenticated or weak remote access, and unprotected assets with sensitive data? Pay attention to the basics by patching critical external vulnerabilities, securing remote access, and improving protections and detections of threats from email, endpoints and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement. Also, consider multi-factor authentication in place of strong passwords.
- Control access to assets: It’s critical to have proper account lifecycle management and appropriate access controls in place. Many smaller organizations start by granting a small group of highly-trusted employees relatively open and continuous access to data and systems. This model does not scale, and leaves the business vulnerable to external and internal attacks. Instead, centrally manage access across all common IT systems and limit access to only specific users, devices and applications. Access decisions happen in real time based on defined business policies and access request context.
- Continuously monitor and train: Never overlook the human aspect—it’s critical to making cybersecurity initiatives successful. In 2023, roughly 50% of Corvus’ claims were social engineering or business email compromise-related attacks. Empower employees with proper awareness and skills training to help reduce attacks.
Threat prevention requires advanced security products and audit logging. Without the ability to understand what occurred, who did it, and what assets were involved, the organization will remain in the dark and unable to conduct effective incident response activities and recover data in the event of an attack.
Base the selection and implementation of security controls on risk assessment, budget constraints, and the specific needs of the organization. Make sure the team regularly reviews and updates its security strategy to adapt to evolving business activities, technologies and threat trends. As threat actors become more sophisticated, and businesses require greater speed and flexibility, it’s well worth the time and resources to invest in a zero-trust model to protect what matters most to the business.
Vincent Weafer, chief technology officer, Corvus Insurance