Many customers have been asking me about Zero Trust, wanting to know what it is and how it works. To explain, I’d like to take you back to Ancient Greece and the city of Troy.
If you have not seen the 2004 film featuring Brad Pitt and Eric Bana, the story goes that the Greeks waged a 10-year war on the city of Troy after Paris took Helen from her husband Menelaus, the king of Sparta.
When conventional siege tactics did not work, the construction of a great wooden horse - the emblem of Troy – was ordered and presented as a gift to the Trojans as the Greek soldiers seemingly withdrew.
Trusting the notion that they had won the war, the Trojans wheeled the horse inside the city and as night fell, the Greek soldiers hiding inside crept out, opened the gates to their countrymen and went on to sack the city, ending the war once and for all.
Of course, those familiar with cybersecurity will know that a Trojan Horse can refer to malicious malware. But the story also sets the right context for Zero Trust.
Historically, security operated like this: businesses would set up their network and if you were in, you were considered ‘trusted’. If you were outside of the network, it was challenging to access the data and information stored inside but once in, you have access to everything.
Your business is Troy in this scenario. Our aim? To keep the Greeks out and that’s where Zero Trust can help.
Times have changed and the war is now a digital one, meaning you’re likely to be guarding more than just one door. Employees are now accessing ‘the office’ from different locations and from a range of devices and that has left traditional domain-based security exposed. Especially when you consider the mix of private and public clouds and servers they are using, leaving the door open for cyberattacks.
And cybercriminals have happily made the most of the opportunity - last year in the UK, 39% of small businesses reported having a cyber security breach and 65% of medium-sized businesses identified breaches, which was significantly higher than the year before (46%).
Using a Zero Trust approach means you can support your people to work from anywhere, on any device, securely, while still protecting them and your business against threats.
Brought to the fore by then-Forrester analyst John Kindervag, Zero Trust is based on the old Russian proverb “never trust, always verify”.
It is important to note early on here that it does not mean businesses stop trusting their employees. But Zero Trust does lessen the burden on them.
In a basic sense, Zero Trust means everything is considered suspicious until proven otherwise via authentication processes placed across a business’ IT portfolio.
For example, one of your people usually uses their laptop in the office but today they are out visiting a potential customer and need to access the company sharepoint off-site. With a Zero Trust policy a Multi-Factor authentication (MFA) will kick in automatically when they try to access the sharepoint, asking them to verify their identity and sign in securely mitigating the risk of malicious domains and unauthorised sites.
Alongside device usage policies and the encouragement of regular cyber hygiene, there is still a responsibility on the employee but with additional policies and extra layers of security provided by MFA, they are considerably supported in making the right choices.
Thankfully, taking the steps to introduce a Zero Trust framework is straightforward. Here are the steps to take:
Know your data and assets
What devices are your people using? What software do they use? Talking to them and listening to what they use, what data they store where and what they need is vital and allows you to identify weaknesses.
Identify your users and partners
Once you have accessed your assets, it’s time to find out who uses them. A user directory allows businesses to uniquely identify each individual and device to assess if they should be given access.
Write the rules
Your people control whether they install the latest updates, know what a secure password looks like or remain knowledgeable about the plethora of risks out there. Help them and encourage an environment where they can be honest about what they use without recrimination.
When looking at partners and suppliers, you are also perfectly within your right to audit your supply chain and understand their own security capabilities. Don’t be afraid to set the standards you expect.
Put identity and access controls in place
It’s here where you can introduce Multi-Factor Authentication (MFA), adding a layer of security on top of passwords like biometrics or fingerprint recognition to combat human error or credential abuse.
Zero Trust is not about becoming suspicious of everyone including your people. It’s about accepting that an attack is imminent and planning accordingly, alongside making it easier for your workforce to play their part.
If only the Trojans had taken the second step of authenticating whether that giant horse was indeed a gift, perhaps their downfall could have been avoided.
Learn more about Zero Trust and how we can help you with your cybersecurity.
Around the globe, our network reaches 184 countries.
We provide the underlying transport network, the virtual overlay, and the platform to prioritise everything.