Some organizations struggle to prevent cyberattacks because they rely on cybersecurity tools and techniques that protect only their perimeter. Perpetrators who make it past a single line of defense (such as with a username and password) can gain unfettered access to the company’s network. They can then use ransomware to block access to data or steal customer information or intellectual property.
Zero trust security was designed to address the shortcomings of a single perimeter defense. Created by an IT industry analyst, zero trust requires companies to not automatically trust users or devices. This can be particularly effective if your business relies on cloud computing or if your employees work from home or use their own devices to access your network.
Three key principles underlie zero trust:
1. Trust must be earned — often.
Zero trust requires initial and ongoing verification for every user and device entering and moving within an IT environment. For example, after users enter the correct network credentials, they must provide additional credentials to access its email system. And even after users are granted access, the system generates “timeouts” that force users and devices to reverify. This is intended to limit the amount of time a malicious actor can spend in the network.
2. Roles and business needs dictate access.
By applying the “least privilege” concept, organizations following zero trust limit access to only the data and resources users need to do their jobs. For example, an administrative assistant typically doesn’t need access to a company’s general ledger and a salesperson doesn’t require access to HR files.
Least privilege segments a company’s IT environment into secure zones, based on users’ roles. Just as ships use bulkheads to create watertight compartments to maintain buoyancy, this micro-segmentation keeps the network “afloat,” even if a segment has been compromised.
3. Multifactor authentication is essential.
Zero trust security requires verification with a high degree of confidence. Multifactor authentication (MFA) requires users to provide more than a username and password to access a network. It might entail entering a one-time password sent to a previously registered email or mobile phone. Or users might need to open a dedicated app on a mobile device and confirm that they’re seeking network access.
Building more and higher walls
If the only barrier between your IT network and a fraud perpetrator is simple perimeter security, your company’s risk of being hacked is higher than necessary. Consider adopting zero trust to build more and higher walls.