The First Steps Towards Zero Trust Security

In recent years, companies have begun storing data in multiple locations, from traditional networks to cloud vendors, and, with the rise of work from home, in virtual infrastructures like Desktop-as-a-Service (DaaS) and on remote employee-owned devices. This diversification of data storage locations is not compatible with traditional network security models that imply the protection of data from outsider threats, but fully trusting insiders. This paradigm shift has led to the rise of a new security model: Zero Trust.

Traditional IT network security is based on a so-called castle-and-moat approach which builds up a system’s defenses against outside access but trusts everyone inside the network by default. This becomes a problem when attackers manage to get inside the network: nothing prevents them from stealing data or infecting the entire network.

If properly implemented, the castle-and-moat approach effectively protects data but offers very little room for flexibility. Data must stay within the network to be protected. Once it is taken outside it, for example, when an employee works from home, it leaves the data on that device vulnerable to theft or loss.

The concept of de-perimeterization or Zero Trust emerged as data breaches became a key concern for information security professionals. In Zero Trust, all network traffic is untrusted. All resources must be verified and secured, access control must be strictly enforced, and all network traffic must be inspected and logged.

Applied as an IT security model, Zero Trust entails strict identity verification for every person and device accessing resources on a private network, regardless of whether they are located within or outside the network perimeter. As an approach to cybersecurity, Zero Trust does not mean the use of a single specific technology but incorporates several different principles.

As the cost of data breaches skyrocketed, reaching $3.86 million/breach in 2020, companies have realized the need to evolve from a traditional network-oriented security model and have begun moving towards Zero Trust security policies. But where can companies start with Zero Trust? Here are the first steps!

Protecting data at all times

Data should be protected at all times, whether it’s at rest, in transit, or in use. Data in transit and data at rest have different vulnerabilities that an effective Zero Trust security policy should address. Traditional security models focus on data leaving the network, but often neglect data stored locally because it’s within the security of the network itself.

However, it is precisely here that a castle-and-moat approach to cybersecurity fails to protect data. When the network is breached, there is nothing stopping cybercriminals from stealing vast amounts of unprotected data. There is also nothing stopping insiders from stealing or misusing data. It is therefore essential for companies to look at ways to protect data, regardless of the state it finds itself in.

This step does not only apply to endpoints but should also be applied to data stored on Software-as-a-Service (SaaS), DaaS, and cloud services. Sensitive data exported from these services should remain secured throughout its entire life cycle.

Advanced access control

Access control is a big part of Zero Trust security policies. However, prompting employees to log on every time they use a different application can hamper productivity and diminish user satisfaction. Single Sign-On (SSO) technology provides the ability for users to sign in once with their credentials and gain access to all their web applications. This reduces the number of passwords employees need to use on a daily basis and the likelihood of weak passwords.

As an extra layer of security, Multi-Factor Authentication (MFA) can be added on top of SSO. This means that, beyond just entering a username and password, users will require additional factors such as a PIN sent via SMS or authentication via mobile apps when they try to log on. SSO together with MFA ensures a level of security in line with the requirements of Zero Trust security policies.

Many software providers have begun introducing SSO and MFA technologies to their products to support companies’ adoption of Zero Trust security models. Our own Data Loss Prevention (DLP) solution, Endpoint Protector has integrated SSO and MFA for Azure Active Directory in its latest update, making it easier for administrators to securely authenticate by using just one set of credentials.

Data visibility and logging

Zero Trust security implies enhanced data visibility and monitoring of data movements. This is particularly important for sensitive categories of data, such as personally identifiable information (PII) and intellectual property which are the targets of most data breaches.

Granular logging and reporting should record all movements of sensitive data as well as the devices, applications, or employees responsible for them. Logs allow companies to detect suspicious behavior that might be a sign of data exfiltration, potential vulnerabilities in the way data is handled internally while also contributing to audit and compliance efforts.