Less than zero: How Zero Trust works and why it matters
Who do you trust? If you’re serious about protecting your network, the answer is simple – absolutely nobody.
Yes, when it comes to cyber security, Fox Mulder had the right idea: Trust no one. That’s the philosophy behind Zero Trust architecture, the model that’s come to be seen as the superior approach to cyber safety.
It sounds simple enough, but how do Zero Trust protocols actually work, and why should your business implement them? Here’s what you need to know.
What is Zero Trust?
Traditionally, network security approaches have concentrated on the perimeter, and on keeping attackers out. It’s a castle-and-moat approach that requires users to pass through layers of security on the perimeter, including firewalls and VPNs, but then trusts them by default once they’re inside the network.
Unfortunately, with the growth of working from home and remote access, the widespread adoption of bring your own device (BYOD) policies, and the shift towards the cloud, the perimeter isn’t as clearly defined as it used to be. A castle-and-moat approach also does little to protect against phishing emails, stolen passwords and other common forms of social engineering that enable attackers to bypass perimeter controls.
But if the traditional approach has been ‘verify, then trust’, the Zero Trust approach is ‘verify, then verify some more’. It was developed by cybersecurity expert John Kindervag in 2010, and applies a mantra of ‘trust no one and nothing’.
A Zero Trust approach assumes that anyone inside the network may already be compromised, and requires them to be verified and authenticated frequently before they’re granted access to anything.
Essentially, it’s less like crossing the moat into the castle and having unrestricted access, and more like being chased around Bowser’s castle while he throws fireballs at you.
How does Zero Trust work?
The thing to note here is that Zero Trust isn’t the name of a specific set of tools, or a particular type of technology. Instead, it’s a mindset that underpins your approach to security.
In practice, Zero Trust relies on technologies like multifactor authentication, which requires more than one piece of evidence to confirm a user’s identification, and encryption, which renders data inaccessible without the correct decryption key, as well as AI and analytics that work in real-time to validate the user’s geo-location, behaviour patterns and authentication risks.
Microsegmentation, the process of dividing data into distinct and granular security segments and then defining security controls for each segment, is also a key component of Zero Trust.
Much of that process is automated, so the user isn’t constantly being disrupted, but they’ll also periodically have their access timed out and be forced to re-enter their credentials to continue accessing the network.
Zero Trust also calls for a ‘least privilege’ policy of giving users the least amount of access they require for their role, rather than letting them have the run of the network, and reviewing those privileges regularly.
All of this restricts what’s known as ‘lateral movement’ – the techniques that attackers use to move through a network and search for data once they’re inside. If they aren’t able to reconfirm their credentials as they move through the segmented network, they can be quarantined before they can do any more damage.
A Zero Trust approach is also strengthened and supported by enacting Zero Knowledge protocols, in which your encryption keys are separated from your encrypted data. This way, even your data security and cloud platform providers can’t see your data.
Cryptoloc, for instance, has Zero Knowledge protocols in place for our clients. If the ethos of Zero Trust is ‘trust no one’, then the credo of Zero Knowledge is ‘I know nothing’ – shout-out to Sergeant Shultz.
Why does Zero Trust matter?
If you’re a trusting kind of person who’d prefer to look on the bright side of life, and you don’t want to believe that everyone inside your system is a potential attacker, then all of this might seem like it’s a little much.
But the frequency and impact of cybercrime is on the rise, with a recent Australian Institute of Criminology report estimating its total annual economic impact in Australia alone at $3.5 billion. For businesses and individuals alike, the impact of a hack can be catastrophic.
But that impact can be significantly reduced by adopting a Zero Trust mindset.
The recent Cost of a Data Breach Report 2021 from IBM and Ponemon, which studied the impacts of 537 real breaches across 17 countries and regions, found the average cost of a breach currently sits at US$5.04 million when Zero Trust protocols are not in place, as opposed to US$3.28 million with mature Zero Trust protocols are in place. That’s a cost difference of 42.3 per cent – and that’s only if you get breached in the first place, which is a less likely outcome with stronger security protocols in place.
Despite this, IBM and Ponemon found that only about a third of organisations have adopted a Zero Trust approach, and close to half of the organisations they studied have no plans in place to adopt one.
Use of strong encryption, a key component of Zero Trust, was a major mitigating factor. The study found that organisations using high-standard encryption (at least 256 AES, for data at rest and in transit) saved an average of 29.4 per cent per breach, compared to organisations using low standard or no encryption.
Taking a Zero Trust approach doesn’t mean you don’t have faith in the people you want to access your network. It just means you want to make life as hard as possible for the people you don’t want to access your network, and you want to take the necessary steps to protect your data – because relying on old-fashioned perimeter controls in today’s environment makes Zero Sense.