Regarding protection and prevention in matters of cybersecurity refers, the reality today is that the positions of the organizations continue to be mostly reactive, more than proactive.
However, with the increase in cyber incidents, cyber attacks, and the complexity of technologies and attack mechanisms, a contrary positioning seems to be becoming more and more necessary, based on continuous observation and the enhancement of the capabilities to adapt, in real time, to any change in scenario.
This paradigm shift is already on the table. It consists of moving to a more restrictive, stricter prevention and protection model that avoids and mitigates problems in a more effective and efficient way. In this sense, the new model of Zero Trust, he proposes “be aware of everything, at all times, without previously considering that the points or elements analyzed are good and, therefore, deserve our trust”.
The R.A.E defines trust as “Firm hope in someone or something”, “Security that someone has in themselves (or in someone or something)”. Therefore, the No trust, the distrust, o la zero trust, should be the opposite of this, that is: “DES-Hope firm that one has of someone or something”, “Unsafety that someone has in themselves (or in someone or something)”.
And, that is where the focus of the Zero Trust, in, a priori, trust absolutely nothing, although it seems reliable. This approach challenges the traditional notion of implicit trust within corporate networks, based on the premise that no identity, user or device should be automatically trusted, regardless of its appearance, information, location or position on the network.
If we transfer this to the technological field, the term Zero Trust could be defined as the security approach or positioning, of cybersecurity, which constantly distrusts any user or device that tries to access a network, even those who are already inside it (internal actors, such as insiders and devices).
This position requires a change in attitude, model, paradigm, which goes from being “first trust and then verify"to be"first distrust and constantly verify each element analyzed".
Going a little more into detail, the Zero Trust it's based on:
- The continuous verification, which is constantly scanning to verify the authenticity, consistency, permissions and authorizations of each element (users and devices), instead of trusting them by default.
- The kind of identity and identification management, always using the multi-factor authentication (M2A, MFA) to confirm the identity of a user (IAM).
- He least privilege with which only the minimum necessary access and the more basic permissions or capabilities to perform a certain task or activity from within the organization's corporate network or cloud, as well as on internal and external corporate or individual devices (BYOD - Bring Your Own Device) and their management (MDM - Mobile Device Management).
- The microsegmentation, which aims to limit the attack surface, dividing the corporate network into smaller segments that are easier to monitor and control.
- The use of the dynamic segmentation, which moves from the classic model of static analysis of the perimeter of the corporate network and its security, to an inspection model of the network-wide traffic.
- He analysis of patterns and behaviors that continuously check the communications, transactions, actions and activities that take place, detecting which of them they are not common and can be considered potential threats.
This is, in very broad terms, the philosophy to apply in this new paradigm of continuous and generalized distrust, which requires certain changes in organizations to bring the strategy to tactics and operations:
- The organization must transfer and make clear this new strategy or line of action at all organizational levels.
- An evaluation should be carried out or risk analysis, specific, of what the paradigm shift will mean and adapt the adaptation of the new model of zero trust.
- It is necessary for the organization to transfer a change in mentality that makes employees go from working in a "trust by default"to the new zero trust model or"always check before allowing".
- Once psyched up, employees must be aware and trained in new ways of working, new safe practices and best practices, of the model zero trust.
- Next, the company must acquire, adopt, implement and launch the security tools more appropriate (WAF -Web Application Firewall-, IAM -Identity and Access Management-, perimeter security, have a SOC, etc.), that apply and align with the new model of distrust. In this sense, a factor to analyze and take into account is the technological complexity that this will entail, and whether the change is acceptable and viable at that time for the organization.
- On the other hand, with regard to the analysis of patterns and behaviors, it may be worth having tools for automation and learning, with a certain degree of machine learning It is artificial intelligence that allow them to be detected and identified.
With the adoption of this model of zero trust as to cybersecurity corporate is concerned, everything will be benefits. However, not all companies are prepared for this.
From the point of view of the risk mitigation, contributes because everything is distrusted, so not “all” will have the ability to act, thus reducing the possibility that a risk becomes a real threat that exploits security gaps and produces a cyber incident.
On the other hand, this continuous monitoring of elements, actors and their activities provides broader and better visibility of all the pieces of all the systems (devices, infrastructure, internal network and cloud) and of all the elements that exist and/or interact with them, and to what extent or how they do so. This provides knowledge that benefits threat intelligence.
As we said, unfortunately, not all companies are yet prepared to jump on the bandwagon of this paradigm shift, as they still have important challenges to achieve. The first of them may be related to the costs derived from its start-up and also its maintenance and operation, due to lack of capabilities, resources, knowledge, dedication, etc.
Another factor that could affect is the complexity that this entails in a specific organization, especially if its core business is not security. This can change architectural models of systems already in operation, infrastructures, etc.
In any case, the model Zero Trust continues forward and unstoppable, leveraging on technological evolution and also on the developments that arise in relation to the fight against new emerging threats, adopting trends such as automation, he machine learning and the artificial intelligence, which make the identification and arrest of threats.
Likewise, two other pillars of support for the model will be the evolution of the general solutions and, in particular, those related to the perimeter security and in the cloud, seasoning them with changes in the approaches of authentication and identity management more powerful (soon, we will have eIDAS2 a Europe).
With all this, we can say that the zero trust It represents a fundamental change in the way companies approach their security, that of their networks, that of their data. As the cyber threats evolve, this model is much more relevant. But, as we said, its successful implementation requires continuity, resources and personalized adaptation to each company. Maybe the zero trust may not be the only alternative, but it is a very solid framework to address the future of cybersecurity.
There are environments and technologies in which the adoption of a Zero Trust is of vital importance, without this entailing (as in all previous cases) side effects such as bottlenecks or slowdowns, such as the IoT (Internet of Things), he OT (Operational Technology), the IT/OT in industrial environments, the environments cloud, and the secure software development, as well as all the mechanisms of integration and consumption of third-party services (APIs).
The adoption of a framework zero trust It represents a change and an effort for companies. But this model is increasingly positioning itself as the most appropriate line of action to protect assets critics and safeguard the business continuity.
Is your company prepared to take on the challenge of Zero Trust?
Maybe your company needs the help of professional cybersecurity services like the ones we offer in Zerolynx: Cybersecurity Services.
If you prefer, contact us and we talked.
Íñigo Ladrón Morales, Content Editor for Zerolynx.