Marco Miniotto, Senior IT Security Consultant CISSP-ISSMP
"Zero Trust" is the New Must-have Security Model for Companies
Recent large-scale security breaches have confirmed, what has been foreseeable for some time: Companies and public organisations have to move away from classic security approaches and switch to a "Zero Trust" security concept as quickly as possible.
Zero Trust is a change in the security perspective which can be summarized as follows: Move away from the old philosophy: "Trust, but verify" (Ronald Reagan) to a new postulate "Never trust, always verify". This article is intended as food for thought.
There are 3 basic assumptions in the Zero Trust Security Model:
Zero Trust focuses on asset protection and the premise that trust is never granted implicitly, but must be continually evaluated.
The Zero Trust model makes dynamic decisions and contextualizes the "Least Privilege" security principle that limits access and permissions to the minimum required to perform an authorized function.
The Zero Trust security model assumes that the threat is already present on directly managed networks and therefore the security of such network infrastructures is no different than any network not directly managed.
So, Zero Trust is a change in "perspective" that can be summarized as follows:
We move from the old philosophy: "Trust, but verify" (Ronald Reagan) to a new postulate: "Never trust, always verify". This new approach represents, in fact, the future in Data Security.
Zero trust Architecture
A Zero Trust Architecture (ZTA) is a corporate cybersecurity architecture based on Zero Trust principles and is designed to prevent data breaches and limit lateral movement of attackers within networks.
This definition focuses on the crux of the matter, namely the goal of preventing unauthorized access to data and services while at the same time making the application of access control as granular as possible.
A Zero Trust architecture must be designed and built respecting the following basic Zero Trust principles:
All data sources and processing services are considered resources.
All communications are secured regardless of the network path.
Access to individual company resources is granted per session.
Access to resources is determined by a dynamic policy, based on: the observable state of the identity of the client, application and requesting resource, and can include other behavioral and environmental attributes.
The company monitors and measures the integrity and security of all its assets and those operationally associated.
All permissions and resource authentication occur dynamically and must be strictly enforced before access is allowed.
The company collects as much information as possible about the current state of its network and communications infrastructure and uses it to improve its security status.
WIRD Group advises companies in the transition to a Zero Trust security model with the provision of "CISO as a Service" support by proven specialists of the WIRD Security Team.
For more detailed information or a discussion of your organisation's specific needs, please contact the author Marco Miniotto, WIRD Ticino office, firstname.lastname@example.org