Who do you trust? If you\u2019re serious about protecting your network, the answer is simple \u2013 absolutely nobody. <\/p>\n\n\n\n
Yes, when it comes to cyber security, Fox Mulder had the right idea: Trust no one. That\u2019s the philosophy behind Zero Trust architecture, the model that\u2019s come to be seen as the superior approach to cyber safety. <\/p>\n\n\n\n
It sounds simple enough, but how do Zero Trust protocols actually work, and why should your business implement them? Here\u2019s what you need to know. <\/p>\n\n\n\n
Traditionally, network security approaches have concentrated on the perimeter<\/a>, and on keeping attackers out. It\u2019s a castle-and-moat approach that requires users to pass through layers of security on the perimeter, including firewalls and VPNs, but then trusts them by default once they\u2019re inside the network. <\/p>\n\n\n\n Unfortunately, with the growth of working from home and remote access<\/a>, the widespread adoption of bring your own device (BYOD) policies, and the shift towards the cloud, the perimeter isn\u2019t as clearly defined as it used to be. A castle-and-moat approach also does little to protect against phishing emails, stolen passwords and other common forms of social engineering that enable attackers to bypass perimeter controls. <\/p>\n\n\n\n But if the traditional approach has been \u2018verify, then trust\u2019, the Zero Trust approach is \u2018verify, then verify some more\u2019. It was developed by cybersecurity expert John Kindervag in 2010, and applies a mantra of \u2018trust no one and nothing\u2019.<\/p>\n\n\n\n A Zero Trust approach assumes that anyone inside the network may already be compromised, and requires them to be verified and authenticated frequently before they\u2019re granted access to anything. <\/p>\n\n\n\n Essentially, it\u2019s less like crossing the moat into the castle and having unrestricted access, and more like being chased around Bowser\u2019s castle while he throws fireballs at you. <\/p>\n\n\n\n The thing to note here is that Zero Trust isn\u2019t the name of a specific set of tools, or a particular type of technology. Instead, it\u2019s a mindset that underpins your approach to security. <\/p>\n\n\n\n In practice, Zero Trust relies on technologies like multifactor authentication, which requires more than one piece of evidence to confirm a user\u2019s identification, and encryption<\/a>, which renders data inaccessible without the correct decryption key, as well as AI and analytics that work in real-time to validate the user\u2019s geo-location, behaviour patterns and authentication risks.<\/p>\n\n\n\n Microsegmentation, the process of dividing data into distinct and granular security segments and then defining security controls for each segment, is also a key component of Zero Trust. <\/p>\n\n\n\n Much of that process is automated, so the user isn\u2019t constantly being disrupted, but they\u2019ll also periodically have their access timed out and be forced to re-enter their credentials to continue accessing the network. <\/p>\n\n\n\n Zero Trust also calls for a \u2018least privilege\u2019 policy of giving users the least amount of access they require for their role, rather than letting them have the run of the network, and reviewing those privileges regularly. <\/p>\n\n\n\n All of this restricts what\u2019s known as \u2018lateral movement\u2019 \u2013 the techniques that attackers use to move through a network and search for data once they\u2019re inside. If they aren\u2019t able to reconfirm their credentials as they move through the segmented network, they can be quarantined before they can do any more damage. <\/p>\n\n\n\n A Zero Trust approach is also strengthened and supported by enacting Zero Knowledge protocols, in which your encryption keys are separated from your encrypted data. This way, even your data security and cloud platform providers can\u2019t see your data. <\/p>\n\n\n\n Cryptoloc<\/a>, for instance, has Zero Knowledge protocols in place for our clients. If the ethos of Zero Trust is \u2018trust no one\u2019, then the credo of Zero Knowledge is \u2018I know nothing\u2019 \u2013 shout-out to Sergeant Shultz.<\/p>\n\n\n\n If you\u2019re a trusting kind of person who\u2019d prefer to look on the bright side of life, and you don\u2019t want to believe that everyone inside your system is a potential attacker, then all of this might seem like it\u2019s a little much. <\/p>\n\n\n\n But the frequency and impact of cybercrime is on the rise, with a recent Australian Institute of Criminology report<\/a> estimating its total annual economic impact in Australia alone at $3.5 billion. For businesses and individuals alike, the impact of a hack can be catastrophic<\/a>. <\/p>\n\n\n\n But that impact can be significantly reduced by adopting a Zero Trust mindset.<\/p>\n\n\n\nHow does Zero Trust work? <\/h3>\n\n\n\n
Why does Zero Trust matter? <\/h3>\n\n\n\n