Zero Trust Networking is the latest buzz in the Cyber Security world over the last few months and many organisations have called out that they are going to be following this directive.
What is Zero Trust?
Zero Trust Networking is an architectural foundation that is based on access control across your network and minimising access across the board. Traditional networking is been focused on the core prefaces of common security control management:
- External Parties – Untrusted
- Internal Users – Trusted
When it comes to Zero trust, we are now classifying “Internal Users” as untrusted…. This means that all access to related servers, applications and resources are now done on a “as required” basis rather than trusting the users to access. From a security context this is ideal, as users and administrators only have access to the items that they are required to access.
Is Zero trust viable?
As Zero trust is an architectural preface, it is possible for organisations to achieve this. If a business wishes to adopt this methodology, this is optimal, although there are a number of drawbacks/considerations that need to be addressed:
- Application management: For Zero trust to work effectively, you will need to be mature in your application and system management policies to ensure that users aren’t impacted during the change.
- Strong change management processes: When new applications and/or users are going to be provisioned, there needs to be a clear plan and action list related to the user requirements for access. In addition a good understanding of the “exemptions” that may occur is required. When you first go down this path, there are going to be innumerable service tickets created… so be prepared.
- User awareness – Many users will now only be able to access data they are “authorised” to access. This may cause some dissatisfaction with many users who act in cross-functional roles.
- Competent networking and security administrators: Due to the large number of changes that are going to occur due to users/environments changing, your security and networking team need to be detailed in their user and role-based access controls. This means that they will have to review the details in both the networking, server and application layer levels to ensure that the permissions are correct.
All of these are achievable and as a business we are about 90% there ourselves, although it took a lot of effort from the engineering team and user awareness training to achieve this level to date. You need to candidly review your processes and procedures internally and ensure that there are no gaps prior to jumping into the Zero trust world.