Zero Trust - The 3 Guiding Principles

United Kingdom, Dec 12, 2023

In a recent blog, we discussed what Zero Trust actually is and how it is the cornerstone to businesses and organisations in today’s rapidly evolving threat landscape. 

Since then, we have seen an increase in people reaching out, asking for some more detail around its principles. First, however, let’s start with a brief recap.

So, what is Zero Trust? It’s a new approach to security.

Remember, it’s not a product – it’s a strategy that’s implemented through people, processes, and technology. You cannot just buy ‘Zero Trust’. There is a lot of noise in the market, perpetuated by vendors, touting their product or feature that purports to achieve ‘Zero Trust’. How do you know who, or what, to believe? Yes, they may achieve some, perhaps many, of the Zero Trust architecture requirements. But, in reality, you will need a combination of policies, processes and technologies to achieve true and meaningful Zero Trust.

Fundamentally, Zero Trust is based on 3 Principles;

  1. Continuously verify
  2. Least privilege access
  3. Assume breach

The Zero Trust mantra is “never trust, always verify” and it’s based on these principles of continuous verification, applying least privilege and always assuming that you’ve be breached. Let’s take a closer look.

Continuously verify - just because you logged on yesterday using the same laptop that you’re using today; you’ll still have to verify your identity by providing more than a username and password. For example, this may be a one-time code sent to your phone, to protect against a cyber attacker using your stolen username and password.

Least privileged access - once authenticated and your device checked it is in good health, you’ll then be authorised with minimum (ie, just enough) access rights to the services and data you need in your role at that given time. Should you need more, you can readily request privileged access as required and at that time. In this way, the chances either external or internal ‘bad actors’ having unauthorised privileged access to systems and sensitive data is mitigated. Remember, even internal disgruntled workers are a real threat to sensitive data - remember WikiLeaks? It’s all too common for people leaving an organisation to try and take sensitive data with them. With a Zero Trust approach, the chances and impact of this risk are significantly reduced.

Assume breach – a healthy mind set in cyber security is one of paranoia. That it is not just a case of assuming we will be hacked (which we should and will), but that we are being hacked right now. Of course, we want to stop a breach before it occurs, but taking this approach means you are always prepared for the worst situation and in the best place to recover from it when it happens.

Components of this principle can include segmenting your network in to separate, untrusted zones, encrypting your data to mitigate it being usable if stolen, managing back-door vulnerabilities, and enabling observability across your entire infrastructure. 

By adopting these three guiding principles, you are putting your organisation in the best place to deal with the rapidly evolving, modern threat landscape. However, this is just the start. Zero Trust is a journey, not a destination. It never ends. Step one is to understand where you are today, before mapping out your next priorities. 

Consultancy services such as Logicalis’ Zero Trust Assessment can identify your current gaps, recommend next steps, and provide you with a blueprint for your Zero Trust journey. Find out more and get in touch today!

Topic

Related Insights