Zero Trust has gained significant momentum this year with the surge in pandemic-induced remote work, taking a fast track from security option to business priority.
In fact, recent research from Microsoft shows 51% of business leaders are speeding up their deployment of Zero Trust capabilities.
But what does Zero Trust really mean in practice and what are common misunderstandings about it? Is it even feasible for small and midmarket organizations today?
Alexandre Cagnoni, director of authentication at network security company WatchGuard Technologies, says SMBs often fear the complexity of the approach, fearing they don’t have the resources to implement it.
“But this is not true!” he says. “Anyone can use this approach, it’s a methodology, not a certification. Unless you’re completely not connected to the internet, your organization could probably benefit from it.”
This is especially true in 2020. In the beginning of the pandemic, the biggest concern was providing access to applications via a VPN. Now, Cagnoni sees many companies focusing on protecting their GSuite or email apps for fear of hackers getting access to the very way we change passwords.
Since people are using their networks more, all it takes to attack a whole network of users is for one user to fall for a Trojan or social engineering ploy.
A quick reference for how to implement a zero trust approach:
- Identify the protect surface
- Map the transaction flows
- Build a Zero Trust architecture
- Create Zero Trust policy
- Monitor and maintain
Common zero trust misconceptions
“I’m inside the network, so my trust is 100%, no need to have security measures.”
“This is one of the reasons they created zero trust: most companies think their firewalls will protect them, but we’ve seen that once someone receives access from a single computer, they can navigate throughout the network,” Cagnoni says.
Hackers aren’t targeting a single person’s information, they’re looking for the information from the entire admin network.
“I need to move all my services to the cloud, and eliminate the local network and the need for remote access or VPN.”
According to Cagnoni, most of the time, you still have some information on shared file servers that can only be accessed via a VPN.
“It’s going to be rare to go completely without a VPN. You’ll still need to ensure the right users are accessing the network.”
“Implementing a strong authentication method for my users is enough to mitigate the risk.”
When you talk about a zero trust approach, you hear a lot about authenticating users and devices. It’s a very important pillar of deployment. But it’s not everything.
You have to guarantee that the computer is not compromised, especially if it belongs to a remote employee.
“WFH is fine because my employees aren’t in a public place like a café.”
Companies thinking about Zero Trust need to reject this notion completely. Making sure a home network is secure is more complicated than it sounds.
You cannot guarantee that WFH employees are working in a secure environment. Consider the home a public place and build trust over time based on the user habits over time.
“I’m moving to cloud services — auto-logins are fine.”
Some cloud apps have users authenticate via a social media account. That might be great from a user standpoint, but it presents threats to cyber security.
Delegating credential management to the user is a mistake. They’re going to share passwords for something like Netflix — the same password, in many cases, they’ve used for their Facebook or Twitter logins.