I might be wrong, but "trust" seems to be one of the most overused words in English language.

Trust into a product to have “magic powers”, trust into self-driving cars to get you safely to your destination, trust into a company or a person. Our politicians seem to overuse this term on a daily basis, yet we all know the dangers of trusting the politicians. Trust by its very nature implies that you are surrendering some of your better judgement in anticipation of a positive outcome, which otherwise might not be guaranteed!

While I am not entirely certain what pretense security analysts at Forrester Research used back in 2010 to coin the “zero trust” term, the “zero trust” model does in fact the opposite. The zero trust security concept introduces a belief that no one inside or outside of a company’s networks should be automatically trusted. No one should automatically gain access to one’s systems, just because you are already connected to a corporate network.

Why now? Why suddenly, do we no longer trust devices we’ve allowed on our internal network in the past?

With users able to work from any place and on any device, we can no longer rely on keeping everyone safe behind a firewall.

This is particularly critical right now, given that a majority of Australian businesses are under some form of working from home scenario, which is driving the number of remote workers through the roof. It is also fuelling a meteoric rise in cyber-attacks and threats, including Phishing attacks claiming to have COVID-19 related information or tools, and ransomware attacks on healthcare organisations. Zoom warrants its own mention -- a recent startup trying to meet the demand, but skipping critical security functions in the rush to the market. Their customers are now paying the price through compromised security!

Zero Trust adapts to the complexity of this modern environment, embraces the mobile workforce, and protects people, devices, applications, and data wherever they are located. Instead of believing everything behind the corporate firewall is safe, the Zero Trust model assumes a breach and verifies each request as though it originates from an uncontrolled network. The Zero Trust approach is based on three guiding principles:

1. Verify explicitly.
2. Use least privileged access.
3. Assume a breach.

Now we have:

• Cloud computing, which has no perimeter to defend and can’t be contained.
• A huge variety of mobile devices that introduce a chaotic web of access points.
• The Internet-of-Things (IoT), which uses sensors on physical objects; sensors that are notoriously difficult to control, update, and secure.

The public has loved these new technologies, but from the vantage point of cybersecurity, it has created a perfect storm. Additionally, when you throw in shadow IT vulnerabilities into the mix -- the tendency of employees to introduce their own third-party software preferences or devices into a company’s network without IT’s knowledge or permission –- your company’s cybersecurity suddenly becomes the Wild West.

What is Zero Trust Security (ZTS)?

One of the key ideas behind ZTS is that there IS no protected perimeter.

Here’s a common analogy that Zero Trust advocates make when explaining the problem with the old way of doing things. Imagine if airports removed their security measures that vetted people’s identities and removed checkpoints to ensure they didn’t have anything dangerous before boarding their flight. Imagine if airport security allowed anyone to get on a plane, and then tried to vet each passenger ten minutes before departure while everyone is sitting on the plane, buckled up and ready to go. That’s essentially what’s happening in the cyber world. A packet can wander freely into a network segment and engage with an application before being required to show any credentials.

Why should I be using Zero Trust Security?

As applications move to the cloud and break down security barriers, traditional security approaches like antivirus are rendered obsolete.

Users are accessing applications from all types of devices both inside and outside of the corporate network, as busines spreads out across multiple locations. To enforce high-standards of protection and compliance, IT service providers need a solution that is dynamic, flexible, and simple.

We use Antivirus, EDR, and Other Threat Detection Tools. Why Isn’t This Enough?

Antivirus, EDR, and other threat detection tools only look for threats and suspicious behaviour. Therefore, they cannot distinguish between DropBox and a piece of malware disguising itself as genuine software.

For example, in March of this year, a major vulnerability was discovered in Zoom, which exposed millions of users.

With the right policies in place, these users could have been protected. The problem is, the majority of IT professionals, utilising an outdated approach to security, focus on threat detection and fail to prevent data breaches associated with application vulnerabilities such as Zoom.

Additionally, the rise of ‘Internet-of-Things’ devices on home networks introduce areas of potential compromise. Many of these devices regularly phone home to their manufacturers, and at times, are accessible from highly suspect sources.

Getting Started With Zero Trust. How Our Customers Can Benefit.

Organisations who take the time to review which applications are needed by their users, integrate logins with Azure AD or MFA, block applications that aren’t needed, and control how permitted applications can behave, are enforcing high standards of protection.

Ultimately, the way in which users operate in the complex IT world today is paving the way for a zero-trust approach. If your IT service provider has not already implemented a zero-trust solution, you might want to consider looking for someone who can offer the most up-to-date approach to security.

It is important that every businesses reviews the six pillars that represent a data estate:

1. Identity
2. Devices
3. Applications
4. Infrastructure
5. Network
6. Data