What is Zero Trust? A Closer Look at the Security Concept that Everyone’s Talking About

Before our evening of glitz and glamour at the European IT & Software Excellence Awards, some of the Intersys team headed over to The Royal Lancaster Hotel bright and early for the Channel-Sec Conference 2021. The event unites a vast array of speakers and guests within the IT and cyber security field and this year presented us with much to reflect on. The security landscape has shifted drastically in order to adapt to the pandemic and the conference gave us the opportunity to reflect, evaluate and celebrate how we provide seamless IT management and cyber security services.

The Recurring Theme: Zero Trust

We had the pleasure of listening to several speakers shedding light on the shifting dynamics and needs of their clients over the infamous year of Covid. Challenges include the drastic increase of cyber crime and security threats when so many people are working from their living rooms.  A big question for IT providers today, is how to keep up with the threats of cyber attacks whilst giving clients seamless working capabilities? The almost unanimous answer from all Channel-Sec attendees seemed to be Zero Trust.

For those unbeknownst to the term, it does present itself in different guises.

Zero Trust, Trust No One, Perimeter-less Security

The concept in short, means trust no one and always verify. The idea isn’t new either. It came about in the mid-90s from Stephen Paul Marsh’s doctoral thesis on computational security. This is how it translates into the concept of IT security at the workplace: No member of staff is given free reign to their company’s cloud-based services/infrastructure, remote connections, mobile environment, files, data, or information. An employee will only have access to what is necessary for their role within the organisation. Not even those in senior roles will have access to areas that are not necessary to their work. By default, no one is trusted. The concept also encompasses mutual authentication, such as checking the integrity of devices and identity verification.

Intersys & Zero Trust

We already utilise the concept of Zero Trust, so it was a great validation at Channel-Sec to know that we’re already doing the most we can do to protect our clients. Here are some thoughts on Zero Trust from Intersys staff and the senior team:

Sandra Majolagbe - Intersys IT Engineer, Queue Manager

Security access is a big deal which is why not everyone should have access to everywhere within an organisation. We utilise a platform (IT infrastructure library- IT Glue) that teaches staff the processes with which to store data. We hold domain admin credentials so we have an all-access pass to help, organise, verify and support our clients. No matter how senior or junior someone in a company is,

we need to check first whether the change request is valid and whether they’re allowed to access certain areas. This can consist of file access, app downloads, security updates, machine access, changing passwords etc. We often escalate this request to a defined person, or manager (often via the phone), because it’s better to be thorough with this tight form of security as it minimises risks drastically.

We also have preventative measures in place, essentially helping us detect something before it becomes a problem. Any suspicious activity is always flagged, and we can check it out. This concept extends to regulatory compliance as well. For example, taking care of confidential and sensitive information and ensuring it’s deleted when appropriate to prevent GDPR breaches. It’s about making it secure for everyone involved.

The Three Principles of Zero Trust according to Matthew Geyman, Intersys Owner, Managing Director

Everyone finally accepts that Passwords are Dead. However even MFA doesn’t create a fully secure environment. Zero Trust is the solution: it’s not a product, but a concept. It’s no one-box trick, but a whole new ‘way of life’, when compared to the old ‘perimeter security’ (stopping things ‘getting in’) model. There’s lots of vague talk online about what Zero Trust is, but far less substance. This has created lots of confusion and so I’ll try to help explain, by using metaphors and examples to convey a basic ZTA (Zero Trust Architecture).

Zero Trust extends well-established concepts like ‘Least Privilege’, but also adds a lot more damage limitation. Least Privilege is something we all apply in everyday life already, without considering it. For example: you may leave your gate unlocked, but only those people you trust have the front door key, fewer still know the house alarm code – and only a couple of people know both the whereabouts of (and code for), your safe containing a secret chocolate stash. Layer upon layer; only those with all the right keys, knowledge and privileges can access the safe and those wonderful cocoa truffles inside.

The First Principle: Always Verify or ‘Verify Explicitly’

Zero Trust steps everything up a gear. It means also confirming the identity of anyone who tries to open your garden gate, the porch, the front door, living room door, or your chocolate safe hidden in the wall behind an oil painting. It means validating their identity: even if they do have the right code – plus at every door they reach.  This is ‘Always Verify’ or ‘Verify Explicitly’, the First Principle of Zero Trust. Real world examples may include using MFA more comprehensively, at more points, plus better cross checking against employee and permissions records — even more frequent HR record updates — double checking the user really does still have a right to access that data (and weren’t fired yesterday for eating your secret chocolate stash).

Best practice Zero Trust would use a Security Operations Centre. An SOC will analyse your users, their devices, location, and behavior to help explicitly verify their identities. Plus, only those devices which are centrally managed and known to be compliant with corporate security policy are permitted access. For example: using Conditional Access Policies to dynamically implement MFA, plus only allowing access from compliant devices, or re-prompt for MFA if their location changes. Risk based sign-in features or SSO (Single Sign On) may be used and continually verified.

Second Principle: Least Privilege

Least Privilege, the Second Zero Trust Principle, describes “need-to-know or need-to-access” and means taking more effort to create strict boundaries and segmentation. Map, understand and compartmentalise both your networks and your data — and rigidly and rigorously enforce very limited access to them. This way, access is granted only to the other pieces of software, to the other computer systems, or to the users which need them to function and were unquestionably approved. As well as VLANS, cut the links between your accounts system and stock systems, if they’re not needed. Everyone in your house can eat chocolate digestives from the kitchen table, plus there’s a pack of Penguin biscuits in a low cupboard, but you’ve got the best chocolate biscuits in a tin, at the back of a shelf in a high cupboard where the kids can’t get them. Plus, only you and your partner know about that safe containing the artisan Swiss chocolatier’s truffle masterpieces.

Third Principle: Assume Breach

The third and final principle of Zero Trust is ‘Assume Breach’. This means that you’re never, ever, complacent and act as if something’s always being tested and compromised. Your objective is to Detect and Respond to cyber-attacks, or other vulnerabilities, or vectors for data loss as quickly as possible and to limit their scope. Further, you have the right systems and logging in place to ensure you know exactly what happened; what was accessed, or taken and when. You have a technical and operational ‘Playbook’ or Business Continuity Plan for each scenario and know what the right course of actions are to mitigate, minimise and remediate damage – in advance.

Holistic Security

So, we see that, with its three principles of ‘Always Verify’, ‘Least Privilege’ and ‘Assume Breach’, instead of just having a moat around your house (perimeter security) and trusting everyone inside, instead, everyone is constantly challenged to prove their identity and their right to be in each room. Everyone’s credentials are verified — every time they try to open a door, to look in through a window, or speak with anyone else.  Most areas are kept locked and individuals have some keys — but only for the limited areas to which they definitely need access, meaning they can get no further than necessary. Plus, now, guards are posted on every internal and external doorway, gateway or window. Furthermore, everyone assumes that everyone else has been stealing chocolate biscuits – so keeps a note of everything that happens and ensures that doors are always locked behind them.

Zero Trust means that your house (or castle, if you’re unlucky enough to be saddled with the heating bills) is full of paranoid, Orwellian, swivel eyed, security zealots. It’s not a convenient place to live, however your chocolate praline truffles are safer than ever.

If that house is your business and the truffles are your IP, Trade Secrets, or Capital, you already know that security is not convenient, but Zero Trust means your business is secure.