Zero Trust Does Not Mean Zero Access
Zero Trust cybersecurity is not new, but business leaders are exploring how Zero Trust frameworks can be implemented in their organizations due to the intensity of cyberattacks over the past few years. From the infamous SolarWinds breach to reports claiming 2024 was the worst year on record for ransomware attacks, it’s now common for everyone in the C-suite to use phrases like “Zero Trust,” “Defense in Depth,” and my personal favorite “Assume the Breach” in executive meetings. However, there is still some confusion about how Zero Trust security works and if implementing it will lock down employee devices so much that it affects corporate productivity.
What is Zero Trust?
The industry-standard Zero Trust Maturity Model takes a different approach to security by assuming that people and devices are inherently insecure and that users are connecting from untrusted devices and networks both inside and outside the network. This model requires a change of mind and new way of thinking: never trust, always verify, and assume a breach has occurred. Another way of looking at this is that think of your users only connecting to resources from a guest network vs. having a connection to the internal network with unrestricted access to all resources. This is obviously an oversimplification, but you get the picture. This mindset helps prepare you to ensure that all access is authenticated, authorized, encrypted, monitored, audited, and of course automated to take actions when the protection of critical assess/data is required.
Micro-segmentation Protects Against Lateral Movement
Micro-segmentation should certainly be considered and is a key in preventing lateral movement. This may not be an easy undertaking and will require a complete understanding of your application data flows and all communications which is probably the most challenging aspect of micro-segmentation.
Employing the Principle of Least Privilege
The Zero Trust security model requires that the principle of least privileged access be applied for every access decision, including administrative or elevated privilege requests. This model must answer the questions of who, what, when, where, and how secure access to critical infrastructure and data is permitted or denied when accessing resources within your environment.
The Challenge: Zero Trust Requires a Mindset Change
We must first acknowledge that we need to change our mindset and that traditional methods are not going to cut it in today’s world of increasingly complex and diverse systems. Organizations are tasked with knowing where all the systems, data, users, and devices exist and the impossible job or keeping a current inventory.
The security threats are becoming progressively more sophisticated with each attack. We are seeing new adversary tools, tactics, and techniques daily. As we have saw with the FireEye hack several years ago, when threat actors do not have the necessary tools, they may just break in and steal the tools. A new mindset is necessary!
Here are three recommendations for anyone looking to adopt a Zero Trust mindset:
- Organizations must have aggressive systems monitoring, management, and defensive operations capabilities
- Assume all requests for critical resources and all network traffic may be malicious, and all devices and infrastructure may be compromised
- Accept that all access approvals to critical resources incur some level of risk, and as a consequence you should be prepared to perform rapid damage assessment, control, and recovery operations
Next Steps: Where Do We Start?
For IT leaders exploring how to integrate Zero Trust security with the popular Microsoft 365 productivity suite, I recommend the Microsoft Zero Trust Deployment Guide as it outlines how to identify your users, groups, devices, and integrate your applications with Azure AD and Entra ID infrastructure. In addition, Blue Mantis Cybersecurity experts have years of experience successfully deploying Zero Trust solutions across multiple industry verticals.
If you’d like help getting started on implementing a Zero Trust approach in your organization, reach out to your Blue Mantis Account Executive who can connect you with a Security Engineer or reach out to us!
