It may sound a little unpleasant that the company should operate with "zero trust” - but the way IT systems and services work today, it has become necessary to be able to maintain data security.
Local access and security
Previously, work and data were closely linked to specific premises with on-site computers and local networks and servers. The attacks you had to avoid were those that came from the outside. As long as you were within the company's physical walls and network, you had easy access to most information.
Complexity changes the security picture
With today's structures, the landscape has become a lot more complex. Employees may prefer to work both from home and from their cabin, and may also need access from their mobile phones when they are on holiday. In addition, the number of systems and services has grown tremendously, and the vast majority of companies use cloud services. This means that we need a new way of thinking about security.
Security is enhanced with continuous authentication
Without the company's physical walls and firewalls to protect itself, identities and authentication are the most important security tools they have.
Zero Trust is about:
→ To ensure that any identity is verified before access is given to the company's data and systems
→ There are no circumstances where one should trust that the user is who he says he is
→ Even if it seems that the user is in a place that the company considers reliable, we should not trust this
Several factors should be investigated
To be sure that the authentication itself is reliable and secure enough, one should examine several factors. It isn't sufficient enough with a password that can be guessed or leaked. A good first step is two- or multi-factor authentication, which ensures that the user trying to log in is who he says he is.
In addition, there are a number of factors the company can look at to assess the risk of logging in, so-called contextual access:
- What application or service are you trying to access? How sensitive is the data you will get access to?
- Which user is trying to access? For example, is it a regular or a privileged user?
- Which IP address does the user log in from? Is it a known or a new IP address? Is it an IP address that we have received warnings about from a monitoring service or that belongs to a known anonymization service?
- What kind of device is used? Is it a known device that has been used before, or is it new?
- Where is the user located? Is it from a place where we have offices, or is it a random place in Brazil? Is it a new place or a place that our users have visited many times before? Is it a place 1000 kilometers away from where the user was located five minutes ago?
Based on all these evaluations, one can calculate the risk at login, and set requirements for the identification based on that. For example, by requiring additional factors or simply rejecting the login completely, if you consider it too risky.
Access control and visibility
Another principle in Zero Trust is access control. In short, it is about making sure to only give users access to what they need in order to do their job.
In addition, one can segment the network based on data and user groups. If one user account with it’s access level is exposed to an attack, and the attackers gain control of the account, they will only have access to this and not much more.
The Zero Trust model recommends full visibility and logging of events, so that all traffic and login attempts can be monitored in real time and examined afterwards. In this way you can constantly learn from it and further develop authentication, risk assessment and access control.
With Zero Trust, the company ensures that the right users have the right level of access to the right services in the right context - and that the systems are able to continuously assess these factors and adapt to changes and adjustments in a smooth manner.