With Covid-19, telework has suddenly become the new normal for organizations, urging them to open up their IT infrastructures in order to allow remote access. Likewise, the breakthrough of e-commerce and logistics platforms has forced companies to allow their business partners (suppliers, customers…) to connect to their IT systems.
However, until now, the security of IT systems was mainly of the ‘moated castle’ or ‘citadel’ type, whereby the access to the resources, not only the systems, but also the data and applications, was extremely controlled, internally secured and totally locked for the outside world.
Given the high increase in the number of remotely connected devices, such as laptops, tablets and smartphones, but also objects within the framework of the IoT (Internet of Things), and the exponential increase in the number of cyberattacks, it appears more and more that traditional security is no longer relevant. Furthermore, digital transformation is leading to the implementation of ever larger ecosystems, requiring more ‘openness’. Moreover, the management of this type of security becomes a real brainteaser, especially because of the increasing complexity of the technologies and tools available.
A phased approach...
The Zero Trust principle is trivial: don’t trust anyone and always check! In other words: any person trying to connect to an organization’s IT system - whether inside or outside the network perimeter - must be checked before access can be granted.
According to this definition, Zero Trust is not a technology, but a global security strategy and the success of such an approach goes through various technological, organizational and governance steps. The employee could thus be a first step in the Zero Trust process. In this case, the objective will consist of protecting the internal users and their equipment against ID theft, phishing and other cyberattacks, for example with a two-factor or multi-factor authentication or even access and privilege management. This step would also allow to have a global view of device security and to apply access policies to each application, in particular based on the employee’s role.
Subsequently, the workloads can be secured, especially if the company is working in a hybrid or cloud environment. Moreover, this Zero Trust applied to the workloads will provide a better insight into the ongoing processes and will be accompanied - if required - by a more detailed segmentation of the applications and the network.
Finally, the workplace will be secured in order to keep absolute control over access and to identify potential threats.
… and beyond
However, a Zero Trust approach requires the continuous monitoring of privileges and authorizations as well as the creation of isolation layers in order to minimize the risks of attacks and to ensure good governance. Moreover, we must follow the path of the privileges and implement the principle of the least privilege. We must know very precisely which user has access to what (data, applications) at which moment, as well as the possible interactions between users. Indeed, a cybercriminal who would manage to hack a privileged user, would become almost undetectable because he would have the appearance of a trusted user.
According to Deloitte’s white paper ‘Zero Trust, a revolutionary approach to cyber or just another buzz word’, Zero Trust programs go far beyond technology and require the integration of a wide range of capabilities in order to achieve their full potential. In other words: such a strategy implies the integration and evolution of existing technologies, associated with next-generation solutions within the framework of clear roadmaps and solid architectural principles.
A never ending story
Imagined in 2010 by John Kindervag, principal analyst at Forrester, the Zero Trust concept seems to become more and more popular within companies. According to a study published in September 2020 by Gigamon, 97% of the organizations having started their transition to Zero Trust believe that this model could help them face the current global situation. In practice, 54% of them have chosen this approach to make their network more secure and reduce risks, while 51% of them refer to data protection and the simplification of security management.
Aprico helps companies innovate and rethink their business processes, by putting security at the center of their strategic reflection. We share best practices, technologies and organizational models allowing the organization to open up to the outside world and to safely share information.