There is no such thing as zero risk when it comes to security, no matter what size your organization is or what industry it operates in. As cybercriminals get more sophisticated and threats evolve, it’s essential to keep your organization secure with the most current cybersecurity best practices. One of those best practices to have evolved over the last year is zero trust, which means limiting access to a network by implementing a “defense in depth” strategy that consists of multiple layers of protection. So critical is zero trust, in fact, that it was a key part of the Executive Order on Improving the Nation’s Cybersecurity. But zero trust isn’t just for the federal government. Let’s look at how all organizations can protect their networks and data.
Defining Zero Trust
Traditional security operates on the “verify, then trust” principle, using firewalls, email gateways, VPNs, etc. This model means authenticated users inside the network have the keys to the kingdom — which poses some obvious risks. Zero trust seeks to negate those risks by trusting no one. The National Institute of Standards & Technology (NIST) defines a Zero Trust Architecture (ZTA) strategy as “one where there is no implicit trust granted to systems based on their physical or network location (i.e., local area networks vs. the internet). Access to data resources is granted when the resource is required, and authentication (both user and device) is performed before the connection is established.”
Zero trust, per NIST, is a “response to enterprise network trends that include remote users and cloud-based assets that are not located within an enterprise-owned network boundary. ZTA focuses on protecting resources, not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.”
As the pandemic fostered the work-from-home movement, driving workers from businesses of all sizes into home and remote offices, this became a critical area of focus, and as trends point toward a continued hybrid office model, it will remain at the forefront of security measures.
Implementing Zero Trust
A zero-trust security model can be applied to any organization, regardless of size or industry. The first step is limiting access and only giving employees the bare minimum of permissions they need to perform their job duties. If an employee no longer needs access, their account should be disabled. This can help reduce the network’s attack surface and ensure that only necessary users are on it at any given time.
By authenticating all users to a centrally managed service that enforces zero-trust security, organizations can be sure any user that gains access to the network is authorized to do so, adding another layer of security. In addition, zero trust can be implemented across directory services, authentication platforms and edge security, ensuring that workers outside the corporate firewall are secure as well. By limiting access to a network in this way, it is possible to ensure that each user on the system is where they are supposed to be and only has permission to perform their job function or tasks assigned by an administrator.
RBAC and Zero Trust Security
Taking the idea of giving users the bare minimum of permissions a step further, role-based access control (RBAC) allows organizations to manage user permissions by their role within the company rather than by their identity. This is important because it ensures that users have access only to the resources they need in order to do their job. For example, a human resources employee would not need access to the company’s financial data, and vice versa. RBAC can be implemented in conjunction with zero trust security principles to create a more secure environment for organizations of all sizes.
RBAC is one of the most important tools you have at your disposal when it comes to zero trust security. By using RBAC in conjunction with other zero trust security measures, businesses can reduce their risk of a data breach and keep their networks safe.
Trends and technologies come and go, but security threats aren’t going anywhere, and the technology to combat them will only continue to evolve. I’m not going to quote all the terrifying security statistics here — you can find them in many other articles on security. You know the risks. Go forth and trust no one.