fbpx Skip to main content

What Is Zero Trust Networking & Why Is It Important Now?

By July 26, 2021August 10th, 2021Leadership, Security
What Is Zero Trust Networking?

Maybe you’ve heard the term “zero trust networking” and wondered what it is. This term has become a little bit more mainstream over time and it’s been gaining momentum. Recently zero trust networking has come to more businesses’ attention because it was referenced in the president’s Executive Order on Improving the Nation’s Cybersecurity, to have government agencies, and those that work with government agencies, work towards a “zero trust security model”.

Let’s take some time to talk about what that is, what it means, and how that applies to us. Because whether you’re a government agency or not (or work with one), zero trust is a really important framework and concept to understand for anybody who wants to secure their network.

There are three main parts to zero trust networking:

  1. Verify user identity explicitly.
  2. Implement least privilege access.
  3. Consider everything on your network to be potentially hostile.

These principles may seem kind of extreme. Or rather, this concept has seemed extreme in the past, but it’s no longer considered overkill because of how cybersecurity threats have evolved.

Why is Zero Trust Important now?

Historically speaking, in the security realm we’ve had a mentality of “zero trust” to the internet for a long time. The point of firewalls, spam filters, and so on, has been to protect “the good guys” behind the firewall and keep the bad guys out, so what’s “inside” stays safe. This is often referred to as the “fortress mentality”. And it’s not cutting it today. The mindset that what it is “inside” is good and that what is “outside” is potentially hostile just can’t be assumed to be true anymore.

You still need your firewalls and spam filters; they certainly help to reduce risk. We need to have those external protections and those barriers as best we can. But the reality is that if somebody wants to get in, there’s probably a way in. This means we need to rethink the way that we approach our networks and the way that we secure things.

The Three Principles of Zero Trust Networking

A “zero trust” mindset changes how we deal with things inside the network or inside our own systems, whether that’s Office 365 in the cloud, or a more traditional network with your server and workstations in an office.

So, let’s breakdown the three principles of zero trust to see what’s changed.

Verify User Identity Explicitly

In the past, it was common for a new employee to get a username and password to a company’s system, as well as access to all the company’s resources – even files and systems from other departments. The idea was to enable productivity and efficiency and reduce barriers to people getting their jobs done. So make systems accessible and give everyone rights and permissions… Even if the specific person didn’t need all that access, or all those privileges. Because we trust our employees, right?

But now trusting your employee isn’t enough – you also have to verify. Identities can be stolen; user accounts can be compromised. You can’t always know for sure that the person behind the username and password is who they say they are. You don’t know which user might click on a phishing link or visit a malicious website by accident, and compromise their account credentials.

The zero-trust answer is to verify explicitly. Know who is logging in, not just with a username and password, but with additional tools like geolocation information and multi-factor authentication. If an employee is based in the U.S., but a login request to their account comes from Japan or Australia – you should probably block that.

User verification requires tying together a lot of intelligence and asking, do we think this user is who they say they are?

Least Privilege Access

The second principle of zero trust is least privilege access. Let’s go back to what I said previously about how employees used to get access to all the files and all the systems. With zero trust, we don’t do that anymore. It actually needs to be the opposite. Begin with users being denied everything, no access to anything. And then add in permissions to what they specifically need to perform their job, and nothing more.

Why? This creates isolation and shuts down unnecessary access that could be leveraged by attackers if they compromise a user account. If a person in the sales department only has access to sales files, and they get hit with ransomware – you’ll be glad you have used least privilege access, because the ransomware won’t get everything through that one user, it’ll just hit the sales department.

The point of least privilege access isn’t to keep people from doing their jobs. The purpose of this principle is to not give people access to things that they will never need.

Everything Is Potentially Hostile

And lastly, you need to consider everything in your network as potentially hostile. Because this is reality. Here you need to proactively think about how a new system, a new device, or new software could be attacked and leveraged against you. And how can these elements in your network be segmented and isolated to prevent this?

Some good examples are IP phone systems and IP security cameras. You could put these systems on your corporate network along with your server and everything else. But if a PC gets hit with an attack, you don’t want that attack to spread to your phone and surveillance systems. Segmenting various components on your network can help you protect your devices from your other devices!

How do you work towards this mindset?

So how do you “implement” zero trust? First and foremost, zero trust isn’t a product, it’s a process. No one can sell you a cookie cutter “zero trust networking package”. But experts like OXEN’s Shared CIOs can help you see where you can make changes and improvements as you work towards the zero-trust model.

Recent Posts / View All Posts

employee awareness

Employee Awareness Is Your Best Security

| Business Productivity, Security, Uncategorized | No Comments
For business communication security, employee awareness is your first line of defense. The more your staff know about the risks, the better prepared they are to deal with potential attacks and the safer your business will be. Unfortunately, recent studies have shown that more than half of employees today lack training in online security. For a business owner like yourself, this can be a frightening idea. Such a lack of awareness and training poses a grave danger to your business should you become the target of an online attack. Check Your Employees’ Level of Awareness But don't fret just yet.…
Communication Security - Risk Management

Risk Management for Communication Security

| Business Productivity, Security | No Comments
Digital technology has advanced dramatically over the years, and today we get to communicate in ways that were unheard of before. From simple emailing for work and chatting with friends across the globe to high-speed real-time videoconferencing and accessing massive amounts of information within seconds, we have come a long way. When was it time to consider worrying about communication security? But together with these improvements, new communication risks have also emerged. Hackers have also used technology to hone their craft, and businesses need to find effective ways to thwart these risks and stay protected online. Longer Online Time The…
Communication Security

The Importance of Communication Security for Your Business

| Business Productivity, Security | No Comments
Ransomware attacks happen every 11 seconds, according to cybersecurity experts. This statistic is very alarming and continues to worsen. Users of all types are being targeted, from individuals to multinational corporations. The severity of the attacks and the ransom vary considerably, but there is one common factor. Practically all cyberattacks begin with a breach in communication security. Despite the disturbing trends, many businesses are still not fully realizing the importance of security in business communication. Less than half of small companies have protective measures against ransomware attacks, and more than a quarter of employees lack proper training in online security.…