BOOK A MEETING

Principles of Zero Trust Security.

In today’s world, cyber-attacks are increasingly prevalent, with the number of such incidents continually rising. These attacks can result in significant losses of time, money, and damage to an organisation’s reputation.

It is not only large companies that are targeted, but organisations of all sizes. Small and medium-sized businesses (SMBs) are equally susceptible to cyber-attacks, due to potentially weaker security measures. Common types of cyber-attacks include phishing emails, CEO fraud emails, identity theft, malware, socially engineered attacks and unpatched software.

For every type of organisation, company, and business, it is important to know that your data is well protected in the ever-changing online environment. This is where zero trust security models come in.

Technology Consumption Changes

The way IT is accessed has changed as a result of the adoption of cloud computing. This is likely to become the standard as cloud computing allows you to access your data and apps from anywhere and from any device. Whilst the benefits this provides to an organisation are ample, there are also the added security issues that need to be considered, such as data breaches, insecure interfaces and APIs, and inadequate data encryption.

The Old Model vs the New Model

Traditional IT security used to rely on a “perimeter security model,” also known as the “castle and moat” approach, in which IT and systems were surrounded by a wall of protection. This wall of protection would typically consist of firewalls, VPNs, intrusion detection systems (IDS), intrusion prevention systems (IPS), network access controls (NAC), and email gateways.

Generally speaking, this model is no longer effective as networks, users, and apps are no longer contained within a perimeter. With the rise of hybrid working environments and “shadow IT”, building a secure network perimeter is increasingly difficult. As a result, a newer cybersecurity method, known as zero trust networking, emerged.

Although it is still necessary to ensure that your network is protected and has the appropriate defence

measures in place, it is now necessary to assume that it is impossible to build a wall around everything, and that attackers will inevitably find their way in.

Instead, efforts must be focused on ensuring that individuals within the network are not able to do anything harmful. This is accomplished by adhering to the principle of “never trust, always verify.” There are four areas that require verification:

  • User – who is attempting to gain access
  • Location – where is this being accessed
  • Device – what device is being used
  • Apps – what is attempting to be accessed

The goal of zero trust networking is to verify that anyone attempting to access your data is trustworthy, the location is trusted, the device is trusted, and has appropriate permissions to access the desired apps or data. However, a common challenge that arises here is striking a balance between stringent security measures and a seamless user experience. While it is important to ensure that users can easily access their data without frustration, neglecting to address these critical factors could leave your organisation vulnerable to security threats.

A diagram showing a typical network security model
A diagram illustrating the zero trust model

Old Perimeter Security Model

New Zero Trust Networking Security Model

Where To Start With Zero Trust Security Principles?

The best place to start with zero trust security principles is with a cybersecurity assessment. This will be used to evaluate the current strength of your cybersecurity, and what areas you can improve on moving forward.

Once you have located any potential area for improvement, you should now start to think about what applications and services best suit your individual needs. Typically, we would recommend starting with Microsoft Intune, Identity and Access Management, Azure Security, and Microsoft Security Operation Services.

Finally, it is crucial to ensure ongoing management of your security. If you possess the necessary resources and skill sets, you can handle this in-house. Alternatively, you can choose to collaborate with a cybersecurity partner to manage ongoing support and maintenance.

Your Cybersecurity Maturity Roadmap

Each organisation has its own level of cybersecurity standards in place, ranging from basic to robust. Once the necessary tools, processes, and support are implemented, we highly recommend pursuing certification. Certification not only confirms that you have implemented the appropriate measures but also publicly demonstrates your commitment to cybersecurity, instilling confidence in clients, suppliers, and partners.

We propose a three-tier certification approach:

  1. Cyber Essentials: This certification verifies that the fundamental security measures are in place, offering protection against common attacks. It is relatively quick to achieve and involves a self-assessment.
  2. Cyber Essentials Plus: To attain this certification, you must first obtain the basic Cyber Essentials certification. Cyber Essentials Plus provides an additional layer of assurance as your organisation will take part in external auditing, ensuring the effectiveness of the implemented tools. Achieving this certification takes more time due to the external audit process.
  3. ISO 27001: This certification demonstrates that your organisation has comprehensive and robust IT security measures in place, indicating a high level of protection and preparedness. However, obtaining ISO 27001 certification is a significant commitment, involving substantial effort, thorough documentation, and an extensive external audit.

By pursuing these certifications, you showcase your dedication to cybersecurity and provide tangible evidence of your security posture. This not only enhances your organisation’s reputation but also fosters trust among stakeholders.

Explore Zero Trust Principles with CWSI

Cybersecurity continues to be a critical priority for businesses, and it is essential to ensure that the efforts invested in security measures are effective, particularly in light of evolving attack methods. Transitioning from a perimeter-based approach to zero trust networking is a significant step towards enhancing security, and we highly recommend leveraging Microsoft 365 as a comprehensive solution to enforce your security measures.

If you require security consultancy or support, please do not hesitate to contact us. We are here to assist you in strengthening your cybersecurity defensces and protecting your organisation’s valuable assets.

Content written in collaboration with Chorus.

Relevant Resources

Our Voice

What is Data Classification?

Discover the fundamentals of data classification, why it’s essential for secure information management, and how to implement it effectively in your organisation.

Learn More

Technology Talks

Achieving NIS2 Compliance

Tune into CWSI's Client Solutions Director, Paul Conaty, as he addresses key questions about the new NIS2 directive and its impact on organisations.