Zero Trust Security

How Zero Trust Works - As the average cost of a data breach now totals a shocking $3.86 million, network, information and cyber security needs to remain a top priority for any organisation looking to survive an increasingly challenging economic climate.

With many organisational systems being this year transformed and migrated to the new norm of remote work, now is the time for organisations to redress any policies, practices or procedures which may contribute to future data breaches.

One remedy to these issues is instituting zero trust policies and technologies; a security concept increasingly implemented across organisations of all kinds.

What is Zero Trust Security?

Put simply, zero trust security is an IT security model based on a foundational principle of ‘never trust, always verify’. Limiting unnecessary access on a continuous basis, by authenticating, authorising, and verifying actions and privileges within a network, zero trust significantly helps to mitigate the chances of a possible breach.

The concept combines a range of preventative techniques including micro segmentation, least privilege controls, strong identity verification and robust endpoint security. As neither devices nor individuals are trusted by default, a zero trust network exponentially increases the layers of security within a system.

By removing inherent trust from your network design, this holistic approach allows an organisation to contain breaches, as well as minimising the potential damage that can be caused by insider attacks, external threats, or other destructive forces.

Principles of Zero Trust

Undoubtedly any research about zero trust will turn up a variety of information, some of which may seem contradictory. Though there are many approaches outlined by security professions and zero trust advocates, at its core are some of the following principles.

External and Internal Threats are Inherent to any Network

When considering how to mitigate data breaches, your first instinct may be to place sole focus on the damage that outside actors can inflict, though the reality is those within an organisation can pose just as big a threat.

Leaving aside motivation for a moment, research shows that the number of insider threat incidents has increased by a staggering 47% in just two years, from 3,200 in 2018 to 4,716 in 2020, with the average cost rising from  $8.76 million to $11.45 million across the same time period.

Appreciating the reality of the threat vectors which jeopardise your organisation highlights much of the value that a zero trust approach offers. With the application of zero trust and least-privilege access control, the chances of both outsider and insider threats can be greatly diminished.

Monitor Network Activity

Most organisations institute some sort of monitoring process, though in ‘trust as a default’ environments, this can often be unwieldly, frequently unmanageable, and ultimately ineffective as a security protocol.

With zero trust systems and continuous monitoring, anomalous or suspicious activity is far more easily detected; allowing an organisation to inspect, analyse and act quickly against potential threats with as little disruption as possible.

By applying zero trust policies, in combination with adequate monitoring technologies, an organisation can build a granular understanding of how their networks are being navigated by their users: and by extrapolation, suspicious endpoints, devices or behaviour.

Authenticate and Authorise Every Device and User

Perhaps the most essential element to any zero trust network is building strong user identities. Understanding how users are operating inside a network is largely dependent on a robust method of user authentication.

The most common method of strong authentication, used across a huge variety of networks and services, is multi-factor authentication (MFA), typically two-factor authentication, whereby a user is required to provide two different forms of information for a verification process.

Used for banking services, social media accounts, and even us at Hut Six, 2FA adds an additional layer of protection to the authentication process. 2FA usually works by sending an additional time sensitive ‘one-time password’ (OTP) to a secondary device known to be connected to a specific user, but can also come in the form of an additional ‘security question’.

Policies According to Value

Zero trust networks should also utilise micro segmentation; the practice of breaking up security perimeters into smaller zones and maintain separate access for these individual parts or elements of the network.

Part of the least-privilege approach, data and information can be assessed in terms of its value, as well as needs of certain users in terms of access.

Though it may seem straight forward, there is probably little sense in instituting 2FA for information that is otherwise publicly shared. These sort of one-size fits all approach can be cumbersome for users and is merely instigated for the impression of security.

Whereas, for the most sensitive or confidential of information, protective measures, such as MFA is an essential element of a zero trust approach. Put succinctly, most assets are more worthy of protection than others.

How Else Can I Protect My Information?

There are many ways in which an organisation can help protect its information and mitigate the chances of data breaches and other information security threats; zero trust security being one of these methods.

Effective information security awareness training is also one of the best ways your and your organisation can reduce risk build a secure culture mindset. By alerting and educating members of staff about a broad range of vital information security topics, every member of an organisation can act as a defensive line against attackers and threats.

Hut Six offers a comprehensive and effective solution for information security awareness training. Covering a broad range of relevant topics, including insider threats, encryption, social engineering, and phishing attacks, Hut Six training allows an organisation to train, test and track your team’s progression towards an information security culture.

Hut Six cyber awareness training has a range of solutions to perfectly fit any organisation. With concise and engaging tutorials, real-life scenarios, customisable content, phishing simulator and easy-to-use LMS dashboard, you can protect against a wide range of threats and help protect your information at a cultural level.