When someone knocks on the front door of your house, is your first response to open the door and let them in? That might be the case for your friends, family and other people who routinely visit your house. For everyone else you must find out who they are and what business they might have with you or your family members before you decide to allow them to cross your threshold.
That’s what a zero trust approach to cybersecurity is about except that everyone’s identity must be verified every time they come to the door.
When you imagine how this would play out, it seems cumbersome and maybe even a little ridiculous. It will probably irritate some people because it will slow them down and they’ll feel like the requirement is redundant.
Picture your mom having to show her ID every time she comes to visit. No doubt she’ll be irritated but when she realizes that access to you (and maybe her grandchildren) requires that she verify her identity, she’ll soon have her ID at the ready and the routine will become second nature.
Identity verification is the core of zero trust because it’s too easy for a foe to masquerade as a friend.
There might not be anyone coming to your front door trying to fool you into thinking they’re your mom. There are plenty of bad actors, however, trying to get through the doors of your IT network who would like to move around unseen or at least make you think they have legitimate business messing with your data and accounts when in fact, they don’t.
Now that you get the gist of zero trust, let’s go a little deeper into what it’s all about
The Principles That Guide Zero Trust
Zero trust is built on three guiding principles.
- Verify explicitly
- Utilize least privilege
- Assume breach
Our example story of your mom having to flash her ID when she comes to visit most closely covers the first principle. The second principle – utilizing least privilege – means that people have access to only the data and accounts they need to do their job.
Let’s apply our home scenario to the principle of least privilege. Say the visitor to your home is a plumber that you hired to do some repairs. They don’t need to go into your bedrooms or even your living room, but they may need access to the kitchen or bathroom. They only need access to the parts of the house where the repairs are being done. That’s least privilege.
The third guiding principle refers to the assumption that there may be an intruder whether you detect them or not. That just means that you’re on your guard all the time and you’re ready to respond at any moment. In your IT environment, this is what’s known as “threat detection” and it prevents an intrusion from becoming a full-blown invasion.
What does an unknown threat look like in our home scenario? Imagine that one of your teenagers brought a new friend home from school. They came in through the garage and not through the front door where you’re checking IDs. They’re in the basement playing video games. It looks innocent enough, but the new friend isn’t who they say they are. They’re actually sizing up your property and gathering intelligence to take back to their gang for a robbery.
The scenario that you can now picture – checking IDs at the door, monitoring how much access people have when they’re allowed in your home, and assuming an intruder is present – might seem a little exaggerated unless you knew that your neighborhood was dangerous. Unfortunately, the neighborhood of the internet is filled with threats, and this kind of robust security is not overkill at all.
If you wanted to improve security at your house, you could probably think of what you need to do. But what about securing your small or medium-sized business from cyber-criminals? How do you put a zero trust strategy in place?
Implementing Zero Trust
The way to implement the zero trust philosophy is with a layered security strategy that includes technical and nontechnical tactics. Microsoft has many of these layers built into their Microsoft 365 platform. These capabilities put enterprise level security within reach of small and medium-sized businesses. However, not every business that uses Microsoft 365 is utilizing these tactics, either because their IT team doesn’t have the expertise, or because business leaders have limiting ideas about what’s possible.
Let’s address a few of these limiting ideas and misconceptions about zero trust.
1. Is zero trust just a checklist of security tactics?
Zero trust is an approach to cybersecurity, not a checklist. It’s a journey rather than a destination because you never truly “arrive.” Cybersecurity is a dynamic process that evolves. There’s always something to monitor, something to respond to, or something to improve upon.
2. Is zero trust achievable?
Zero trust is a long game and achievement is measured in progress. Depending on your starting point, you may not need to overhaul all your existing security systems. It’s likely that you do need the help of a vCISO to show you what you need to implement immediately to achieve an appropriate security baseline and then create a path of improvement from there.
3. Won’t zero trust slow down our people?
Security has a reputation for being inconvenient but changing insecure behaviors and practices with new ones is possible. It’s all about having a good change management process that builds proper expectations and explains why the change is needed.
First Steps Towards Zero Trust
Whether you’re ramping up security in your home or your network, it’s essential to have a plan. Your plan should not only include the details of how you’ll layer on the security tactics that you’re going to use, but how you’re going to communicate the changes to the people who need to know.
Here at XPERTECHS, we work with organizations to create security strategies that move them towards a zero trust philosophy and make security a strong business capability. If you’re not confident that your IT team can evolve your cybersecurity strategy so that it effectively manages modern threats, we should talk.