Securing Your Digital Space With a Zero-Trust Security Strategy

Your approach to cyber security needs to be driven from the top down and align to the business strategy to help achieve the shared goals and be successful. 

For several years, IT leaders such as the CIO, have become more aligned to the business creating a digital strategy aiming to be enablers through the use of technology, predominantly cloud. It is now security’s turn to look at its objectives and priorities with the same view.

This has the benefit of helping the business, but it also helps articulate the value of cyber security and support the budgetary process.

So, What Is a Digital Space?

In recent years we have heard many people talk about digital transformation, eco-system, cloud journeys, modern working, user experience and digitalisation. Many of these terms or concepts are bias towards certain business models and a level of maturity which does not cover the whole market. In an aim to simplify the jargon, a Digital Space is the simplistic concept of your businesses IT systems, applications, and processes together. This is regardless of where it is or how its deployed. It breaks down the conversation back to the basics of IT with no pre-conceptions of your business model.

What is a Zero Trust Security Strategy?

A zero-trust security model simply assumes one thing - You trust no-one and no device. Putting a little more context into this, we have three principles.

Verify Explicitly - Always authenticate and authorise based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.

Use least privileged access - Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive polices, and data protection to help secure both data and productivity.

Assume breach -  Minimise blast radius for breaches and prevent lateral movement by segmenting access by network, user, devices, and app awareness. Verify all sessions are encrypted end to end. Use analytics to get visibility, drive threat detection, and improve defences.

These principles do not have to be obstructive to the user experience or system, in fact I suggest you make it a smoother experience to get the best adoption and response. The concepts are simple but understanding where to start, is not always clear.

Applying the Zero-Trust Security Model

Linking back to a strategy, it is clear that the world is becoming highly connected and distributed. All elements of your digital space, from users to infrastructure and data, is becoming diverse and instead of assuming everything behind a firewall is safe, trust no-one and no device.

To achieve this, we need to be able to separate objects such as users and devices from our assets such as data, applications, infrastructure, and networks and follow the IAAA (Identify, Authenticate, Authorise and Audit) model when the objects attempt to access an asset, assuming a breach is occurring. The simplest place to start is with Identity and Access Management, feeding telemetry into a security tool to provide breach detection on the assumption that a breach will occur.

When we apply the IAAA models to a user or device, we first need to consider the identity provider and a secondary authentication system such as MFA to offer Identify and Authentication to the object. Once authenticated, we should naturally assume that the user or device has no access and explicitly provide access to only what is needed at that time, for that object via Authorisation controls within the identity provider and application. Systems such as Privilege Access Management provide further segmentation by elevating access in a “just in time” fashion with governance and approval for further protections, which would require collusion to bypass.

Furthermore, using time, geography and other elements allows us to build further conditional access around our authentication and authorisation. For example, restricting logons from a Russian IP, but restricting users to just read-only permissions when in the EU.

Password less mechanisms, push notification and other technologies such as the Windows Hello, make the user experience easier whilst improving security, moving away from the traditional view that security is a blocker.

Lastly, using session information and telemetry from Identity, Authentication and Authorisation elements, we can conduct an audit trail that allows for the real-time detection of a policy breach or anomalies with the complete audit trail.

These elements relate to non-human operated devices too, where wider connectivity and access is becoming more common, think IoT and OT where assuming privilege and access could lead to a risk to human life.

Extending the Security Model

As you move your thoughts away from the implicit trust that comes with traditional approaches to a digital space or corporate environment, it is easier to understand how a zero-trust approach can be integrated into every project when you take the first step to develop a Zero Trust model around Identities of Users and Devices.

Taking the identify information and overlaying this information with audit and security monitoring across other elements, the correlation of information across identities, devices, applications, and infrastructure allows you to use Machine Learning and advanced data analytics to build security intelligence from which your security operations (secops) teams can build custom security content that relates specifically to your business. This again allows you to secure your digital space, with no assumptions about your business and operating models that could impact your security performance, which is key to considering where to start in developing a zero-trust strategy.

Zero Trust is not a technology but a holistic approach that can be built into your existing architecture and one which should be used across your entire organisation. Also, having a solid incident response plan and a business continuity and recovery plan in place will undoubtedly help in case of any unexpected incidents or potential breaches.