Why organisations need a Zero Trust approach to network security


uxclogoDisruption continues to occur inside corporate networks and this isn’t likely to stop, meaning organisations need to change their network security mindset, according to UXC Saltbush.

Clem Colman, principal consultant at UXC Saltbush, said, “Managing information security for corporate networks has always been difficult. However, the ability to meaningfully inspect traffic coming in and out of the network isn’t keeping up with the threats. Innovations including web, digital, and cloud have accelerated the problem, giving cyber criminals new opportunities to attack.

“The other problem is that users no longer want to live inside the corporate network (the fortress, if you will); they want to access enterprise information and systems from wherever they are using whatever device they have on hand. Also, the assets organisations are charged with protecting are also rapidly decamping beyond the castle gates into the cloud. The battleground has moved and the challenge now is making sure organisations have the right capabilities in the right places for the next round.”

This challenge to deliver services securely anywhere and anytime means organisations need to decouple network security from network topology. In other words, the ability to protect assets, information, and users can no longer be contingent on them living inside the fortress; the protection needs to go with them to wherever they want to be or where market forces increasingly dictate they need to be.

Clem Colman said, “The first part of addressing this change is to avoid thinking of networks as being divided into trusted, untrusted, and semi-trusted. While such terminology isn’t entirely without value, those labels can lead to dangerous assumptions.

“For example, when a system in the trusted part of the network is compromised it can potentially leverage this trust to attack its neighbours. What’s more, it can usually do so without fear of being detected by the corporate defences, because they’re mostly focused on the boundary between trusted and untrusted parts of the network.”

A conceptual model to help organisations understand how to address this challenge is the Zero Trust Network. The premise of Zero Trust is that trust shouldn’t be assumed between network actors regardless of location. It follows that protection should be applied to the smallest indivisible network actors such as laptops, smartphones, servers, desktops, and storage.

Clem Colman said, “Zero Trust gives organisations a model for addressing the existing security challenges within the fortress: you can’t trust your neighbours just because they live in the trusted zone of the network. Zero Trust also gives us a model for dealing with users and systems that live outside the fortress because its fundamental principle has universal applicability: every network participant needs to protect itself.”

Pressure from cloud, mobile workforces, and the changing nature of corporate networks is going to disrupt much of the existing, fortress-based approach to information security. But the reality is, those defences have been crumbling for years.

Clem Colman said, “Many IT security experts are responding by either trying to extend the fortress, or build more fortresses, and that strategy will remain valid in certain situations. But Zero Trust offers organisations a model for consideration that treats the shortcomings of current security models and, equally importantly, positions them to support the likely future state of corporate networks.”