1 July 2024 - Ian Wharton, Technical Architect

Why it’s time to change your mindset around Zero Trust

Think of your corporate resources as gold and your network security as Fort Knox, heavily guarded with only authorised personnel able to gain access. But to achieve a Fort Knox level of security, you need robust defences capable of verifying all devices and people who interact with your network. This means adopting Zero Trust Architecture.

 

Changing your mindset around Zero Trust

When it comes to cybersecurity, too many organisations still have a mindset that the office is the centre of trust i.e. ecure the perimeter and then everything within its boundary can be kept safe. The rise of remote working, however, means that defining both the physical and digital perimeter is no longer quite so simple. A hotel, a train, a home office, a cafe, a gym or any other public space with a good internet connection can now also be a place of work.

And just as we’ve physically moved out of the traditional office space, so too has the tech. Cloud computing means that software applications no longer need to live on-premise. Everything from your data storage to operational applications are now managed in the cloud. With the proliferation of so many cloud service providers too, businesses are empowered to select and integrate different IT applications from a range of different sources at once, honing their IT network to best fit their business needs. Again, this creates a further spread when it comes to defining the office network.

These advancements in IT provision are hugely beneficial for the modern workplace, but they also mean that the attack surface – the points at which bad actors can try and gain entry to a network to either steal critical information or cause harm – has also increased.

Cybercriminals are taking advantage of these new opportunities, so the traditional perimeter-based security approach is no longer sufficient.

Here, we discuss why it’s time for a change of mindset where you ‘trust nobody’ when it comes to network security.

 

Zero Trust Architecture – A Concept in Demand

Zero Trust Architecture (ZTA) is a security model focused on verifying every single user and device, both inside and outside an organisation’s perimeters, before granting access.

Major corporations, including Microsoft, have begun implementing a Zero Trust model across their corporate and cloud environments. The company announced the move in 2022 and, by embracing Zero Trust in all its products, services and infrastructure, aims to lead by example and demonstrate how large enterprises can transition to this model and enhance their security posture.

 

When your trust is challenged

Cybercriminals are constantly evolving their tactics, exploiting vulnerabilities and using numerous, sophisticated techniques to gain unauthorised access to corporate networks.

There are daily cases of intricate cyberattacks that could have been mitigated if ZTA was in place. For example, DNA testing and genealogy company 23andMe suffered a severe data breach in October 2023 after hackers used an attack method called credential stuffing to gain access to the sensitive data of 7 million people. Credential stuffing happens when an attacker exploits reused credentials to gain unauthorised access to multiple user accounts. A Google survey revealed 65% of people reuse passwords across multiple sites, making this a routine form of attack.

One of the core principles of ZTA that would have better protected 23andMe is Multi-Factor Authentication (MFA). This security policy helps defend against the vulnerability of reused passwords by requiring the user to enter a code that is sent to a separate device on top of supplying a username and password. With MFA enabled, a standalone username and password combination are insufficient to access corporate resources, demonstrating the rigidity of ZTA.

Hackers don’t need years of training to penetrate organisations’ cybersecurity defences. In 2022, an 18-year-old hacker was able to elicit a corporate password from an Uber employee via social engineering, a method where a hacker will mimic the appearance of a corporate communication to harbour sensitive information and login credentials. Once the employee’s credentials were compromised, the hacker was able to steal source code and post provocative messages on the company’s Slack channel.

To fend off threats like this and ensure all the traffic from inside and outside the corporate network is being inspected and verified, organisations need to adopt a security model with robust verification steps like MFA and certificate-based authentication for user-less devices. This is a strong principle within zero trust.

Whenever the server receives an access request, it's vital to know who is sending the request, where they are, what device they are using and what it is they are requesting to access.


Adopting a New Approach

Despite the benefits offered by ZTA, there’s still a reluctance to adopt it. Why? Zero Trust challenges the notion of implicit trust, operating on the principle of ‘never trust, always verify’, which needs a significant change in thinking from employees and IT teams accustomed to the perimeter-based security model.

Some organisations may have legacy systems or applications that are not designed to work within a Zero Trust environment. However, with proper planning and a phased implementation process, these challenges can be addressed, and more importantly ZTA can be realised without disrupting critical business operations.

The way we work has changed and so should our security practices. It’s about working with your team to communicate the benefits of a Zero Trust approach. An effective change management strategy is central to ensuring a smooth transition.

 

The Future of Network Security

The ease with which ‘trusted’ corporate devices can be hijacked by cybercriminals changes the whole dynamic of network security. Businesses need to adopt a Zero Trust model that employs stringent endpoint security and treats all network connections as untrustworthy unless fully verified.

Zero Trust is a strategy designed to limit the visibility of corporate resources and data before a user can access it. With strong user access controls working alongside strict identity and device verification policies, Zero Trust provides the foundational security that safeguards digital assets and mitigates threats.