Imagine two physical security scenarios.
In one scenario, you have an office building where people are vetted by a security guard before they enter. The guard assumes the person is trustworthy unless they do something bad or fail to follow the process—such as someone trying to break past the security barrier or having no identification. As a result, a variety of employees, vendors, and other guests continually gain access to this office building throughout the day.
In another scenario, you have an office building where people are vetted more thoroughly. Rigorous credentials (such as a special ID that is difficult to acquire) are required, biometrics are used as another factor of authentication, and strict protocols (such as an employee escort) are in place concerning vendors and guests entering the building. Security cameras are also monitored regularly to look for suspicious behavior—even watching people already inside.
The first scenario encapsulates many office buildings you may have entered with loose security. The second scenario probably brings to mind places such as the Pentagon, K-12 schools, or airplanes. When you want more safety, you must trust people less and verify more.
Trusting less and verifying more is the principle behind the cybersecurity concept of “zero trust.” Cybersecurity is evolving toward the point where we cannot rely alone on traditional cybersecurity tools such as firewalls, antivirus, and VPNs. In other words, we cannot assume that anything making it past a perimeter into your network is good.
While the concept of zero trust has matured over time and now heavily influences cybersecurity today, it’s also a complicated set of strategies, processes, and tools that even large organizations struggle to implement. However, that doesn’t mean you cannot take some steps toward zero trust that will help better secure your organization.
Here are five ways you can begin shifting toward a zero trust approach.
MFA is an easy way to increase the strength of your authentication processes, especially for devices and software that may exist outside of your network. For example, if you allow employees to work on their own personal devices or use cloud applications, then MFA adds an extra layer of login security by requiring another step such as inputting a code sent to an employee’s phone.
Today, many data breaches occur when a cyberattacker uses stolen employee credentials to get inside your network. MFA presents a barrier that makes it more difficult for a cyberattacker to use those credentials, and it’s also a way to better verify that employees are actually logging in.
Inspired by our second scenario in the introduction, application whitelisting works by not allowing an application to run on your network unless it has been given explicit permission to do so. This is a strict form of cybersecurity to ensure that only known applications can access your network.
With some application whitelisting tools, you can also set restrictions around what a permitted application can do. For example, you may decide that an application can perform its intended tasks but not connect to other applications or connect to the internet.
The concept of “least privilege” must enter your vocabulary if you wish to enhance your cybersecurity. It’s not uncommon to find people with administrative access to servers when they don’t need it, customer service representatives with access to sensitive PII and health-related information that’s not required for them to do their job, or vendors with unnecessary access to sensitive and confidential information.
Instead, you need a more granular approach where information permissions can be set based on an employee’s or vendor’s role. Then, these people will only access the information they need to do their job.
SSO can help your organization in many ways, all with the end result of better authenticating people who access your systems. With SSO, you can eliminate the need for multiple passwords across different applications, enforce a strong password policy in one place, and better monitor and manage who has access to your systems. As mentioned in the “least privilege” point above, SSO also allows you to set specific access controls per application. Again, this is another tool that helps strengthen authentication—a key aspect of zero trust security.
When a user attempts to log into an application or a device connects to your network, you need to vet these actions with a zero trust mentality. That means:
---
If you want to learn more about zero trust, check out NIST’s Special Publication 800-207. It covers zero trust basics, components of a zero trust architecture, and migration tips in more detail. And if you’d like to enhance your cybersecurity with more of a zero trust mindset, then fill out the form below.