Putting Zero Trust Theory into Practice

By Leyton Jefferies

Zero trust isn’t a product that you can purchase off the shelf, it’s a mindset that needs to permeate every aspect of your organisation. According to a recent report by Cisco, around 90% of organisations have begun embracing zero trust security. However, only a mere 2% have fully matured deployments, with the majority (86.5%) still in the initial stages of implementation.

So, where does one begin with zero trust?

Zero trust has become a buzzword in the IT security landscape, but its essence can sometimes be elusive. It’s not a product but rather a paradigm shift in how we approach security. It entails reevaluating fundamental security assumptions and adopting a stance of perpetual scepticism. This shift reflects a broader cultural change where organisations are becoming more vigilant against all forms of risk.

At its core, zero trust encapsulates a set of security principles:

  • Verify every time
  • Use least privilege for access
  • Assume a breach has already occurred

Ultimately, zero trust builds upon the concept of privileged access management by adding additional layers of security to ensure comprehensive protection. In a world fraught with security threats, the mantra becomes “never trust, always verify”.

Zero trust as an architectural framework for security

Zero trust serves as a comprehensive framework to safeguard complex networks from both internal and external threats, particularly those stemming from the misuse of user credentials. IBM describes zero trust as a philosophy where every user and connection is considered a potential threat, necessitating robust defenses. It involves continuous monitoring and validation to ensure that users possess the appropriate privileges and attributes.

The key components of a zero trust framework include:

  • Logging and inspecting all network traffic
  • Limiting and controlling network access
  • Verifying and securing network resources

Zero Trust is a framework that employs authentication, authorisation, and validation to safeguard user access both within and outside the network, encompassing cloud-based connections and remote workers as well. It oversees the permissions granted to each device, dictates the applications they are allowed to execute, and controls the data they can access, store, encrypt, and transmit.

The shift to cloud security best practices

Zero trust represents a departure from traditional privileges access management, which focuses solely on internal user security and overlooks risks arising from the broader cloud environment. For example, it does not guard against cases where a user’s credentials are misused. A zero trust approach should secure the network from risks coming from the wider cloud-based environment.

Adopting a Zero Trust approach is prudent now due to the rise in remote work and the widespread reliance on cloud infrastructure by organisations. This trend has eroded the traditional network perimeter, leading to a more diverse array of users, technologies, and applications that require secure management.

Escalating cyber threats

Cyber threats have surged to unprecedented levels since 2023, with state-sponsored activities and phishing attacks leading the charge, causing 90% of data breaches. According to Microsoft, distributed denial of service attacks saw a staggering 67% increase in 2022 with the global vendor mitigating an average of 1,435 attacks each day. Meanwhile, new malware incidents, which attempt to gain unauthorised access or disrupt IT systems, now number at 300,000 daily. Gartner also predicts that 45% of organisations will suffer a supply chain cyber attack by 2025. Despite these alarming statistics, organisations have been slow to adopt zero trust, primarily due to the paradigm shift it entails and the associated resource requirements.

Given these alarming statistics, why are organisations hesitant to embrace Zero Trust?

The reluctance stems from the fact that zero trust necessitates a paradigm shift, demanding time, resources, skills, and appropriate products. Many organisations view zero trust within the context of their own cloud-connected architectures, while extended networks rely on public and hybrid cloud services alongside remote work arrangements. These organisations often have rigid compliance requirements and operate within a mixed estate environment, where legacy architecture may not seamlessly align with zero trust principles. Modern authentication methods and secure protocols may also pose challenges for integration.

Furthermore, IT security specialists are often overwhelmed with the ongoing task of monitoring and responding to alerts. There’s a legitimate concern that adding more security products could exacerbate complexity, making the overall setup more difficult to manage and maintain.

Why identity is the cornerstone of security

A reported 80% of breaches are targeting user credentials, therefore identity management emerges as a pivotal aspect of zero trust. Businesses must prioritise robust identity strategies to control data access and security across diverse user groups and devices, especially in the context of digital transformation initiatives.Granting credentials without proper challenge or validation contradicts best practices and industry standards, significantly heightening an organisation’s risk exposure. Identity management, the process of overseeing and confirming user access and privileges, remains a cornerstone in today’s cloud-native world.

Implementing a zero-trust approach

Breaking down a zero trust policy into smaller, manageable components aligned with NIST’s five-stage security model can facilitate implementation. Tasks such as vulnerability scanning, attack surface management, and asset management fall under the ‘identifying’ stage. Meanwhile, identity management, Single Sign-On (SSO) and Multi-Factor Authentication (MFA) fall under the ‘protect’ umbrella. Anti-malware, Endpoint Detection and Response (EDR), Security Information and Event Management (SIEM), Managed Detection and Response (MDR) services, and Log management constitute the ‘detect’ category.

Each stage of the model can be supported by various cybersecurity tools such as risk-based multi-factor authentication, identity protection, endpoint security, and encryption, enabling the construction of a robust security architecture. Leveraging existing technology and managed services is a practical approach to implementing zero trust, maximising the use of available resources.

It is beneficial to bring clarity and establish a clear approach that will effectively achieve the objectives of Zero Trust. Success lies in selecting a suiteLeyton Jefferies 2021 of tools that seamlessly integrate to support the zero trust model without introducing unnecessary complexity. These tools should work cohesively to provide operational levers for managing the zero trust policy on a day-to-day basis, enhancing protection and significantly reducing the risk of security breaches.

Jefferies is Head of Cyber Security at CSI Ltd,