Navigating Regulations with Zero Trust: A Unified Approach to Security

United Kingdom, Feb 28, 2024

Zero Trust may be seen to some as just another framework for their organisation to spend precious time on. However, discount it at your peril, as implementing a well-defined Zero Trust can be one of the most effective tools in protecting your organisation and saving you money in the long run. Fundamentally, it sets organisations up for cyber resilience, supports your Business Continuity and Disaster Recovery plans and ensures you're prepared for an inevitable cyber breach. 

That said, you may need to focus on achieving compliance with a specific regulation before moving onto Zero Trust. Will it align with other regulations, or will it require a whole new approach? The good news is, Zero Trust strategies align quite nicely with security standards and legislation, as it is fundamentally based on best practices and leverages the requirements which other regulations stipulate, such as NIS 2018. Therefore, implementing a Zero Trust strategy enables you to meet, or even exceed, a large section of other standards and regulatory requirements. 

The compliance landscape is evolving rapidly, constantly developing and changing in scope, affecting more and more organisations of all sizes. Therefore, any opportunity to map overlapping requirements to save time and money should be explored. In addition, being in breach of one set of regulations can mean breaching multiple, increasing the risk of being fined from multiple regulatory bodies. Additionally, CISO’ are voicing real concern for now being personally liable for cyber-attacks, both criminally and financially. So, the need for implementing a Zero Trust strategy that overlaps with many critical compliance frameworks and legislation couldn’t be higher. 

Let’s take a closer look with which common regulations and frameworks align with Zero Trust.

 

GDPR

GDPR protects data subjects and their confidential information, whilst Zero Trust assumes that a breach has already occurred in the first place. Combining the two, sets you up for supporting the requirements of GDPR. Putting an example into perspective, let’s say a data breach was to occur.

The ICO (Information Commissioner’s Office) provide guidance on how to manage a data breach which involves recording all information related to the incident. Zero Trust assumes a breach has occurred in the first place, supporting GDPR requirements and preventing these scenarios from happening in the first place. Furthermore, Zero Trust leverages the least privilege principle, so anyone who wishes to access certain data cannot do so. Continuous monitoring and authentication of users is another key requirement and this is where Zero Trust ties in nicely with GDPR. Zero Trust focuses on reducing the attack surface, meaning that potential threats have less entry points into an organisation’s network. Combining the two sets you up for increased compliance with GDPR and a stronger security landscape.

 

PCI DSS

PCI DSS (Payment Card Industry Data Security Standard) addresses data breaches and how to prevent them, aligning well to Zero Trust, which assumes that a breach has already occurred, something which is not assumed in PCI. 

PCI DSS also addresses the cost reduction of data breaches. When you combine this, with the correct Zero Trust implementation, you can significantly reduce the likelihood of a data breach occurring. PCI DSS further aligns with Zero Trust as it provides security controls that address network segmentation and continuous monitoring. There is a large focus on building and maintaining secure networks and systems, to handle payment card information securely, and preventing fraudulent actions. Lastly, reducing the network perimeter promoted by Zero Trust reduces access to cardholder data, signifying the importance of how they would both work together.

 

CIS

The Centre for Internet Security guidelines and controls look at prevention, detection, and response to cyber security threats, while Zero Trust looks at trusting nothing and verifying identities. When combining CIS with Zero Trust, it assists organisations in having a completely proactive approach to security. CIS controls, enforce additional layers of security through network segmentation, authentication methods and dynamic policy enforcement, which tie in nicely with Zero Trust principles. Therefore, combining both CIS guidelines and Zero Trust principles promotes an all-rounded approach to security.

 

NIST Special Publication (SP) 800-53 Framework

NIST promotes a risk-based approach, with several frameworks belonging to NIST supporting the same approach. 

Firstly, there’s NIST SP 800-53 which has a focus on confidentiality, integrity, and security of federal information systems. NIST SP 800-53 provides the controls for multiple frameworks, designed to shape that risk-based approach. It supports NIST SP 800-37 Risk Management Framework (RMF) and is used in combination with NIST SP 800-207 which is NIST’s Zero Trust Architecture (ZTA) Framework. This framework focuses on the logical components and focuses on protecting resources rather than network segments. The controls from NIST SP 800-53 are often used with NIST SP 800-207, highlighting the compatibility between these frameworks.

NIST SP 800-53 is flexible and can be used with multiple frameworks, including their own ZTA framework, so if you already use NIST SP 800-53, you’re in a good place to bring Zero Trust into the picture. All these frameworks create a solid foundation for a strong security posture and a comprehensive approach to safeguarding information systems and building a ZTA.

 

With evolving security threats in the cybersecurity landscape and many standards and regulations to comply with, implementing a Zero Trust strategy promotes best security practices and puts organisations in a good position to achieve other important standards. Zero Trust supports multiple regulations, so aligning with those regulations would put your organisation in the best position to exceed regulatory requirements and successfully implement a Zero Trust strategy.

If you are interested in implementing a Zero Trust strategy, where to start and what it could do for your organisation, Logicalis can help you.

Contact us today

 

Topic

Related Insights