The COVID-19 pandemic is likely to go down in history as one of the defining moments of our lifetime. From a business perspective, it transformed business models, changed customer expectations, and disrupted the networks that run businesses. These changes are long lasting and accelerated the digital transformation journey, a journey that is now driven by cybersecurity impacts and needs.
It’s no secret that the shift to remote working at the start of the pandemic presented challenges for security professionals who were tasked with quickly mobilizing their new remote workforce and securing the network in this new environment. In this new style of working, the Zero Trust approach to network security was commonly touted as a best practice, and rightfully so. The very premise of Zero Trust is to trust no one or no thing – not even your own network – and verify that any attempt to access the network is legitimate and from an authenticated source.
As workforces dispersed due to the pandemic, the principles of a Zero Trust architecture naturally came into their own; namely: knowing users, services and data and their associated identities; assessing the behaviour of users and the health of devices and services; using policies to authorise requests and control access; authentication and authorisation of everything; and monitoring users, devices, and services.
Operational requirements and ways Zero Trust addressed them
The practices for a Zero Trust network mean specific rules are in place to govern access rights that are granted to specific users and are based upon the user’s job function, location, and other pre-defined variables. Without the ability to physically verify employees as they connect to the network remotely, these protocols came into their own as the most secure way to verify the security status of any connecting endpoint or user. The Zero Trust network denies the connection by default if the security status of a user cannot be authenticated and equally, if the connection could be verified, it is subject to a pre-determined policy for the duration of its network access.
Zero Trust networks operate under a principle of least-privilege, meaning that all programmes, processes, devices, or users are limited to the minimum privilege required to carry out their functions. The best analogy is to think of it like the government or military’s “need-to-know” policy.
Access rights don’t need to be too restrictive as they are balanced against privileges that can range from ‘full access’ to ‘no rights at all’, depending on the conditions.
Naturally, as remote working became the norm, these protocols made the most sense for dispersed networking environments. Though, many organisations may have quickly found that traditional detection and prevention technologies were insufficient to mitigate the threats posed by opportunistic actors on remote environments.
While information into how previous attacks were carried out provided some context, it could only go so far with this new way of working in a highly distributed and decentralized way. The key for many was to plan for the worst and assume a breach had occurred. This means organisations needed to consider that all networks – along with corresponding applications and devices – were insecure and that the organisation had already been breached. Both users and devices must be continuously authenticated and granted access to resources through disciplined verification. Zero Trust is not a one-and-done exercise.
However, these guiding principles provided a strong baseline for organisations that felt pressure to quickly make changes during an unprecedented time. It must be remembered that Zero Trust itself is a framework and a mindset – there are many routes to achieving it, some more successful than others. There’s no one-size-fits-all approach to achieving Zero Trust and companies will meet these principles under their own interpretations and, ultimately, will decide what works for them.
If not now, when?
One thing is for certain, the pandemic has forced many organisations to take a good, hard look at their networks and connected assets such as applications, data, and endpoints; and that has, on the whole, been a positive in the overall desire to achieve a more cybersafe and cyber-aware world. However, it’s still important for those who have applied a Zero Trust approach to realise that it is an ongoing exercise; and for those who haven’t yet adopted Zero Trust, what are you waiting for?