The Zero Trust Approach to Cyber Security

Trust No One – You may have heard ‘Zero Trust’ mentioned in the media lately. It is a common buzzword being thrown around, but what does it mean for businesses’ cyber security?

With an ever-growing mobile workforce, not only has the nature of work changed, but we are now also seeing a shift in core cyber security principles. Employees need to be able to work securely from anywhere and on any device.

Zero Trust is a framework derived to enable flexible cybersecurity protection for a modern mobile workplace. Instead of believing everything behind a business’s firewall/s is “safe”, the Zero Trust approach assumes no user is trusted by default. All users, devices and applications must prove their authentication before accessing business resources.

It’s important to understand that Zero Trust is a framework, and not a one-off tool or software that gets deployed, but rather a change journey through your entire IT environment.​

There are 4 key principles in the framework​:

1. Never trust anything – ​No system, environment, or device should be trusted without verification.​
2. Always verify – ​At every step re-verify that nothing has changed.
3. Assume all networks are already breached – ​Essentially treat all networks as if they are free Wi-Fi at a Café. Likely insecure with possible bad actors already in the network.​
4. Apply least privilege permissions​ – Only provide the right permissions for the user’s role and restrict the use of any administrative accounts.​

Let’s consider this in the context of boarding an international flight:

 Did you notice, there are multiple verification steps? Zero Trust applies this same approach to cyber security when a user wants to access your company data.

This doesn’t mean users will be prompted for their username and password at each step, but that behind the scenes, the system checks at each point and if something doesn’t look right, it will then ask for the user to reconfirm their details. ​This demonstrates a Zero Trust approach to security.

Why is Zero Trust important?

Modern work adoption was accelerated due to the COVID-19 pandemic. An estimated 29% of New Zealand’s workforce moved quickly from centralised work locations to full time working from home*. This rapid change resulted in a lack of education for many staff who were not fully equipped with the cyber security challenges that working from home entailed…and cyber criminals knew it! They took advantage of the vulnerable position many businesses found themselves in by exploiting compromised devices and accessing business data.

*Data based on New Zealand Journal of Employment Relations, 45(2): 5-16

Comparing Zero Trust Network Access (ZTNA) to a traditional VPN 

A subset to Zero Trust is a term coined ‘Zero Trust Network Access’ (ZTNA).

ZTNA is an architecture that encompasses technologies and processes, while still having identity verification at its core.​ It is likely the first technology to be implemented when moving to a Zero Trust framework.

Up until this point, Virtual Private Networks (VPN), have been (and still are) commonly used for securing remote work. With a traditional VPN, users are authenticated once, then allowed access to the network. This means that if a VPN connection was breached by a cybercriminal, they could gain access to a business’s entire network. Using zero trust principals, ZTNA minimises this risk.

Ready to make the first step on your Zero Trust journey and move away from a traditional VPN? Get in touch by emailing hello@itpartners.co.nz