fbpx Skip to main content

What Is Zero Trust Networking & Why Is It Important Now?

By July 26, 2021August 10th, 2021Leadership, Security
What Is Zero Trust Networking?

Maybe you’ve heard the term “zero trust networking” and wondered what it is. This term has become a little bit more mainstream over time and it’s been gaining momentum. Recently zero trust networking has come to more businesses’ attention because it was referenced in the president’s Executive Order on Improving the Nation’s Cybersecurity, to have government agencies, and those that work with government agencies, work towards a “zero trust security model”.

Let’s take some time to talk about what that is, what it means, and how that applies to us. Because whether you’re a government agency or not (or work with one), zero trust is a really important framework and concept to understand for anybody who wants to secure their network.

There are three main parts to zero trust networking:

  1. Verify user identity explicitly.
  2. Implement least privilege access.
  3. Consider everything on your network to be potentially hostile.

These principles may seem kind of extreme. Or rather, this concept has seemed extreme in the past, but it’s no longer considered overkill because of how cybersecurity threats have evolved.

Why is Zero Trust Important now?

Historically speaking, in the security realm we’ve had a mentality of “zero trust” to the internet for a long time. The point of firewalls, spam filters, and so on, has been to protect “the good guys” behind the firewall and keep the bad guys out, so what’s “inside” stays safe. This is often referred to as the “fortress mentality”. And it’s not cutting it today. The mindset that what it is “inside” is good and that what is “outside” is potentially hostile just can’t be assumed to be true anymore.

You still need your firewalls and spam filters; they certainly help to reduce risk. We need to have those external protections and those barriers as best we can. But the reality is that if somebody wants to get in, there’s probably a way in. This means we need to rethink the way that we approach our networks and the way that we secure things.

The Three Principles of Zero Trust Networking

A “zero trust” mindset changes how we deal with things inside the network or inside our own systems, whether that’s Office 365 in the cloud, or a more traditional network with your server and workstations in an office.

So, let’s breakdown the three principles of zero trust to see what’s changed.

Verify User Identity Explicitly

In the past, it was common for a new employee to get a username and password to a company’s system, as well as access to all the company’s resources – even files and systems from other departments. The idea was to enable productivity and efficiency and reduce barriers to people getting their jobs done. So make systems accessible and give everyone rights and permissions… Even if the specific person didn’t need all that access, or all those privileges. Because we trust our employees, right?

But now trusting your employee isn’t enough – you also have to verify. Identities can be stolen; user accounts can be compromised. You can’t always know for sure that the person behind the username and password is who they say they are. You don’t know which user might click on a phishing link or visit a malicious website by accident, and compromise their account credentials.

The zero-trust answer is to verify explicitly. Know who is logging in, not just with a username and password, but with additional tools like geolocation information and multi-factor authentication. If an employee is based in the U.S., but a login request to their account comes from Japan or Australia – you should probably block that.

User verification requires tying together a lot of intelligence and asking, do we think this user is who they say they are?

Least Privilege Access

The second principle of zero trust is least privilege access. Let’s go back to what I said previously about how employees used to get access to all the files and all the systems. With zero trust, we don’t do that anymore. It actually needs to be the opposite. Begin with users being denied everything, no access to anything. And then add in permissions to what they specifically need to perform their job, and nothing more.

Why? This creates isolation and shuts down unnecessary access that could be leveraged by attackers if they compromise a user account. If a person in the sales department only has access to sales files, and they get hit with ransomware – you’ll be glad you have used least privilege access, because the ransomware won’t get everything through that one user, it’ll just hit the sales department.

The point of least privilege access isn’t to keep people from doing their jobs. The purpose of this principle is to not give people access to things that they will never need.

Everything Is Potentially Hostile

And lastly, you need to consider everything in your network as potentially hostile. Because this is reality. Here you need to proactively think about how a new system, a new device, or new software could be attacked and leveraged against you. And how can these elements in your network be segmented and isolated to prevent this?

Some good examples are IP phone systems and IP security cameras. You could put these systems on your corporate network along with your server and everything else. But if a PC gets hit with an attack, you don’t want that attack to spread to your phone and surveillance systems. Segmenting various components on your network can help you protect your devices from your other devices!

How do you work towards this mindset?

So how do you “implement” zero trust? First and foremost, zero trust isn’t a product, it’s a process. No one can sell you a cookie cutter “zero trust networking package”. But experts like OXEN’s Shared CIOs can help you see where you can make changes and improvements as you work towards the zero-trust model.

Recent Posts / View All Posts

Social Engineering

January Recap: All You Need to Know About Social Engineering

| Managed Services, Security | No Comments
This month, we covered a range of topics concerning social engineering. Social engineering is now considered one of the most prevalent risks when it comes to online security. Most hackers rely heavily on social engineering tactics to lure unsuspecting users to divulge information. It sounds complicated but it's nothing more than the practice of manipulating people into revealing information through the use of false pretenses. It often creates a sense of urgency, fear or excitement, playing with people's emotions to get them to do exactly what the hackers want them to do. In case you missed any of them, here…
Cybercriminals Use Social Engineering

The Top 5 Ways Cybercriminals Use Social Engineering

| Managed Services, Security | No Comments
Advanced technology and cutting-edge hacking techniques have been the main tool that cybercriminals use for online attacks. But did you know that the most effective method that hackers use for enticing victims online is something so much simpler? Cybercriminals use social engineering or in other words, manipulate people by establishing trust and playing on their emotions. Common Methods of Social Engineering Attacks There are a number of creative ways that social engineers go about their devious ways. However, there are five ways that stand out on how cybercriminals use social engineering for their personal gain. Phishing This method is by…
Social Engineering scams

Where Does Social Engineering Scams Come from?

| Managed Services, Security | No Comments
Social engineering scams are so much more rampant these days than ever before. There will certainly be suspicious-looking items in your inbox when you check your emails, which are most likely phishing emails. Many people now know to avoid clicking these malicious emails, which is a good thing. But still, their vast amount makes you wonder, where do social engineering scams come from anyway? The very simple answer to that is social media. How Social Media Is Used for Social Engineering scams According to the latest count, there are more than 4.74 billion social media users today. For hackers, each…