Zero Trust

As we move towards a cloud centric world full of modern technologies and cloud goodness, a question that will always come up within an organization is, how do we govern our access to technology? Do we implement a zero trust based system or do we grant full access to technology resources and trust our employees to be secure in their behavior? Where do we draw the line? And do we even have to draw a line?

A zero trust model is based on the principle of “never trust, always verify.” In order for a zero trust model to be successful you have to assume that any individual trying to access your environment is untrustworthy until proven trustworthy. This sounds cynical at first, but it is the way to go if you want to secure your assets. 

A zero trust model is based on 4 key principles:

1. Strong user authentication everywhere. This can be ensured through enforcing 2 factor authentication. What this means is that every time you try to access your email or a corporate service you have to authenticate not just using password, but also using a biometric authentication or a text message (this is only one example of a secondary method of authentication).
2. All devices used by users are enrolled in a device management service and their health is verified. This is ensured through enrolling all user devices into a device management solution that verifies that the device the user is using to access your company resources is safe and free of malicious attacks.  
3. Access is only limited to what is needed. This is achieved by ensuring that users have least access privileges. A user only has access to what they need and nothing more. The more access you give a user the more you leave your organization open to attacks and leakage of information.
4. The health of all services in your network are always verified. Verifying a device and that the user who is accessing your service is actually who they say they are is still not enough, we need to verify that the service itself is free of malicious attacks every single time a user tries to access it. A user’s device may be healthy, but granting it access to an unhealthy service may expose the data of the user and the data of other users in the organization.

Transitioning to a zero trust model is not easy, there’s a cultural shift that goes with it. However, when your users and data are always at risk of malicious attacks the stakes are high, and you have to ensure that you leave no chance for mistakes. A zero trust model is a way of thinking that is applied to everything you do in an organization. It starts with verifying users and devices, and continues with verifying all the services your users are accessing too.