Whether it is a person, device, object, or connection, Zero Trust is the belief that we should not trust them until they prove they can be trusted. In the past, there was only one way to enter a corporate network, with barricades safeguarding anything of value in it. However, this has given rise to an inaccurate assumption that everything inside the walls was not a threat, and in turn, this has left companies extremely vulnerable to attacks from within.
Is Zero Trust Necessary in 2022?
No matter the size of your business, the pandemic has expanded the threat perimeter of organisations across almost every industry. Cloud-based working is here to stay, and with that comes new threats. This means email and file storage applications need to be available everywhere, portable devices like laptops/phones/tablets are becoming the norm rather than the exception and third parties (SaaS, contractors, partners) need to receive, store and share sensitive data with your organisation.
Playing a game of whack-a-mole with every employee that tries to get around security controls is not the right approach. It’s a sign that security is seen as a productivity dampener in the organisation which makes it harder to start new security initiatives and convince employees to comply with and respect important policies.
A Step-by-step Guide to Implementing Zero Trust
Our general approach to cyber security until now has been to throw technology at the problem. Instead, proponents of Zero Trust recommend embracing the strategy and processes and then leveraging technology iteratively. A strong Zero Trust framework covers identity, endpoint & data security to ensure there are no loose ends that could be exploited by attackers.
It’s important to note that Zero Trust can’t simply be ‘turned on’ and should be considered a long term transition. However, organisations can start to employ a lot of the Zero Trust tactics with minimal investment.
1. Offer secure cloud storage/collaboration solutions that are easy to use and don’t hinder productivity. Regularly coach employees on which cloud solutions they should use to prevent staff from using ‘shadow’ applications that may not be protected.
2. Review the cloud applications used throughout your business, and enforce Multi-Factor Authentication (MFA) or enable Single-Sign-On with MFA via your Identity Provider if you have the technology to support it.
3. Disregard the perimeter approach, and instead secure endpoints anytime/anywhere to allow employees to be protected no matter when or where they want to work. Using strong, cloud-based endpoint security solutions that ideally cover host-based firewalls, web protection/visibility, application control and Endpoint Detection and Response/Next-Gen Anti-Virus. You should be able to deploy configuration, gain real-time visibility and provide protection entirely from the cloud to your endpoints.
4. Passwords shouldn’t be set to expire – they encourage poor password hygiene such as writing down or usage of weak passwords. Instead, stick to high minimum character limits (14+ is ideal), remove the strict complexity requirements of symbols and coach your employees that they can “set a secure password and keep it forever”.
5. Look at the native data loss prevention (DLP) controls available in your systems. If you can block data exfiltration onto unauthorised cloud apps, portable storage devices and over email, you have closed the most common data exfiltration methods.
If this recent decade has taught us anything, it is this important takeaway— cyber security is a key factor to the success of any organisation. Implementing a Zero Trust framework can help a business of any size become more resilient, and the best thing is it doesn’t have to break the bank. To further complement Zero Trust, you will still require advanced technology solutions to have the necessary control and visibility of your organisation’s security. By beginning your Zero Trust strategy and investing in select technologies, small businesses can begin to secure their networks to protect themselves as they grow even bigger.
This article was first published on Inside Small Business.
How can Sekuro help?
Sekuro’s Zero Trust Strategy has been created by our team to zone in on the areas which provide the most prominent cyber security benefits, whilst being pragmatic and realistically achievable for all organisations. It was devised by cyber security professionals with years of hands-on experience in cyber security engineering, architecture and executive leadership across both private and government sectors globally.
Sekuro’s Zero Trust Strategy is a comprehensive, rational, technical cyber security review that will include detailed interviews and assessments of your organisation against 140+ security controls, which takes approximately two weeks to complete. Speak to us today on how we can help your organisation on their Zero Trust journey, and further streamline your cyber security program using our Zero Trust Strategy.
Customer CISO, Sekuro
Lee is an experienced Cyber Security professional with 16+ years in the technology Industry. He has previously worked in cyber security leadership and architecture roles inside multiple global organisations prior to joining Sekuro. At Sekuro, Lee helps clients with Cyber security strategy, Zero Trust, Virtual CISO, mentorship, executive advisory and security architecture. He has worked with numerous clients on cyber security strategies across industries such as health, insurance, construction, manufacturing, leisure including multiple ASX listed companies.