When It Comes to Cybersecurity, Trust No One
In a post last March 6 I mentioned the concept of “zero trust” in cybersecurity. A recent online article (https://internalaudit360.com/what-internal-auditors-must-know-about-zero-trust-networking/) explains it in detail. Although directed at internal auditors it should be read by anyone concerned with cybersecurity.
For many years security operated on a “trust but verify” basis and once traffic passed through a firewall or other security control it was allowed anywhere in a network. As networks became more complicated this approach was inadequate. Today organizations can have dozens or even hundreds of networks on premises, in the cloud or in virtual environments. Even small companies have officers or employees with personal devices such as smartphones connected to their network, or devices in the Internet of Things that bypass security controls. Modern businesses run on applications and services that may not travel outside the network, so controls aimed at external threats are ineffective. Finally, threat actors steal valid credentials through various forms of social engineering fraud.
The “zero trust” concept was introduced nearly a decade ago by Forrester Research. It premise is modern networks are too complex for firewalls and perimeter controls based on trust. All traffic is considered hostile and must be verified by strict authentication. Each component has a unique cryptographic identity which allows systems to determine if they are malicious. Authorization is configured on a “least privilege access” basis so only users who need a particular resource can use it.
Because compliance with regulations such as GDPR or PCI-DSS is part of normal operations, zero trust is a means of insuring compliance.
Implementing zero trust does not require infrastructure changes. Commercial tools are available. It’s up to administrators or service providers to use them.