zero trust

    Zero Trust — New Concept of Cybersecurity

    0
    By on Cloud Security

    In recent months, a new concept has emerged in terms of cybersecurity. This notion has gained importance with the latest events and the start of confinement.

    This new approach is called “Zero Trust.” Many people tell you about the merits of this approach, but what exactly is it?

    HISTORICAL REVIEW:

    In most companies, security managers have created trusted zones from which trusted users using trusted equipment can connect to the company’s information system.

    In general, the trusted zones correspond to the physical sites of companies. Similarly, the equipment used by the company’s employees is owned by the company.

    Consequently, securing the whole consists of setting up ramparts around the business networks. These ramparts ensure that only those inside have access to the information system.

    This is a so-called “perimeter” approach to security since it guarantees security right up to the perimeter of the company’s network. Anything outside is considered untrustworthy.

    EVOLUTION:

    But today, and more so with confinement, the borders that existed (materialized by internal networks) are called into question.

    This evolution has already started with the development of information systems towards the “Cloud.”

    Indeed, many companies are making more outsourced applications available to their users in SaaS mode. Likewise, companies are increasingly storing their data outside the company.

    In addition, since the start of the confinement, users have had to access the information system outside the company walls. Even with equipment that is not owned by the company.

    Consequently, these new ways of working require that the information system no longer be limited to a fortress. The information system and user access become diffuse. Furthermore, the types of access are multiple and not necessarily standardized.

    All these aspects of the evolution of the information system oblige security managers to rethink the way of securing the company’s information assets (applications and data).

    Concept Of ZERO TRUST:

    Consequently, companies must put in place the following:

    • An information system without constraints or access restrictions.
    • An architecture guarantees the security of information assets.

    Finally, the issue of information system security becomes:

    • The user and the context from which he connects.
    • Functional user needs (Applications and authorized data)

    The “Zero Trust Security ” approach makes it possible to achieve this objective.

    The principles of “Zero Trust” are as follows:

    • Any network is, by default, considered hostile.
    • Threats always exist on the internal web as well as on external networks.
    • The internal network is not an absolute trust network.
    • Each terminal, each user, and each network flow must be authorized or even authenticated.
    • Security policies must be dynamic and defined from many application sources or user data.

    Companies’ evolution towards this security model generally occurs when they embark on digital transformation projects.

    IMPLEMENTATION OF “ZERO TRUST”

    The principles for implementing the “Zero Trust” model are:

    • Strong user authentication.
    • Validation of user equipment.
    • Contextual confirmation of access requests.
    • The micro-segmentation of networks.
    • Compliance with the rule of least privilege.
    • Systematic logging and inspection of what users are accessing.
    • The detection of anomalies and the triggering of alerts in real time.

    Cyber Snowden Reviews:

    The “Zero Trust” model is not a straightforward concept nor a fad.

    This is the final step in a long-term process that includes a new generation of security controls designed in a completely different way from traditional network-based access models.

    Ultimately, this new model is closely linked to the evolution of business information systems which are:

    • More heterogeneous since the advent of Cloud solutions.
    • More open to the outside.
    • More user-oriented.

    The evolution of information systems and new ways of working for users leads us to the following conclusion:

    • Since it is impossible to predict what new advances will take place in the future or how companies will integrate them.
    • Since it is impossible to say with certainty from a user that the device, application, or network they are using is entirely secure.

    By default, the only permissible security approach is never to trust and always verify.

    The “Zero Trust” model requires work to set up and classify, but it represents a critical link in the long-term modernization goal for the digital enterprise.

     

    Usama Amin is a Security blogger focusing on Cyber Security, Cloud Security, and IoT. He has worked as SR. Security Consultant for more than 10 years for industry-leading IT companies. Usama's experience also includes working as a legal expert witness for Cyber management. He writes about industry technology trends and best practices. He incorporates his views and his many years of experience to provide unique technology advice for people that manage and support Cyber solutions.

    Related Posts