fbpx Skip to main content

What Is Zero Trust Networking & Why Is It Important Now?

By July 26, 2021August 10th, 2021Leadership, Security
What Is Zero Trust Networking?

Maybe you’ve heard the term “zero trust networking” and wondered what it is. This term has become a little bit more mainstream over time and it’s been gaining momentum. Recently zero trust networking has come to more businesses’ attention because it was referenced in the president’s Executive Order on Improving the Nation’s Cybersecurity, to have government agencies, and those that work with government agencies, work towards a “zero trust security model”.

Let’s take some time to talk about what that is, what it means, and how that applies to us. Because whether you’re a government agency or not (or work with one), zero trust is a really important framework and concept to understand for anybody who wants to secure their network.

There are three main parts to zero trust networking:

  1. Verify user identity explicitly.
  2. Implement least privilege access.
  3. Consider everything on your network to be potentially hostile.

These principles may seem kind of extreme. Or rather, this concept has seemed extreme in the past, but it’s no longer considered overkill because of how cybersecurity threats have evolved.

Why is Zero Trust Important now?

Historically speaking, in the security realm we’ve had a mentality of “zero trust” to the internet for a long time. The point of firewalls, spam filters, and so on, has been to protect “the good guys” behind the firewall and keep the bad guys out, so what’s “inside” stays safe. This is often referred to as the “fortress mentality”. And it’s not cutting it today. The mindset that what it is “inside” is good and that what is “outside” is potentially hostile just can’t be assumed to be true anymore.

You still need your firewalls and spam filters; they certainly help to reduce risk. We need to have those external protections and those barriers as best we can. But the reality is that if somebody wants to get in, there’s probably a way in. This means we need to rethink the way that we approach our networks and the way that we secure things.

The Three Principles of Zero Trust Networking

A “zero trust” mindset changes how we deal with things inside the network or inside our own systems, whether that’s Office 365 in the cloud, or a more traditional network with your server and workstations in an office.

So, let’s breakdown the three principles of zero trust to see what’s changed.

Verify User Identity Explicitly

In the past, it was common for a new employee to get a username and password to a company’s system, as well as access to all the company’s resources – even files and systems from other departments. The idea was to enable productivity and efficiency and reduce barriers to people getting their jobs done. So make systems accessible and give everyone rights and permissions… Even if the specific person didn’t need all that access, or all those privileges. Because we trust our employees, right?

But now trusting your employee isn’t enough – you also have to verify. Identities can be stolen; user accounts can be compromised. You can’t always know for sure that the person behind the username and password is who they say they are. You don’t know which user might click on a phishing link or visit a malicious website by accident, and compromise their account credentials.

The zero-trust answer is to verify explicitly. Know who is logging in, not just with a username and password, but with additional tools like geolocation information and multi-factor authentication. If an employee is based in the U.S., but a login request to their account comes from Japan or Australia – you should probably block that.

User verification requires tying together a lot of intelligence and asking, do we think this user is who they say they are?

Least Privilege Access

The second principle of zero trust is least privilege access. Let’s go back to what I said previously about how employees used to get access to all the files and all the systems. With zero trust, we don’t do that anymore. It actually needs to be the opposite. Begin with users being denied everything, no access to anything. And then add in permissions to what they specifically need to perform their job, and nothing more.

Why? This creates isolation and shuts down unnecessary access that could be leveraged by attackers if they compromise a user account. If a person in the sales department only has access to sales files, and they get hit with ransomware – you’ll be glad you have used least privilege access, because the ransomware won’t get everything through that one user, it’ll just hit the sales department.

The point of least privilege access isn’t to keep people from doing their jobs. The purpose of this principle is to not give people access to things that they will never need.

Everything Is Potentially Hostile

And lastly, you need to consider everything in your network as potentially hostile. Because this is reality. Here you need to proactively think about how a new system, a new device, or new software could be attacked and leveraged against you. And how can these elements in your network be segmented and isolated to prevent this?

Some good examples are IP phone systems and IP security cameras. You could put these systems on your corporate network along with your server and everything else. But if a PC gets hit with an attack, you don’t want that attack to spread to your phone and surveillance systems. Segmenting various components on your network can help you protect your devices from your other devices!

How do you work towards this mindset?

So how do you “implement” zero trust? First and foremost, zero trust isn’t a product, it’s a process. No one can sell you a cookie cutter “zero trust networking package”. But experts like OXEN’s Shared CIOs can help you see where you can make changes and improvements as you work towards the zero-trust model.

Recent Posts / View All Posts

Business ROI

Do You Know Your Business ROI?

| Business Productivity, Uncategorized | No Comments
Do You Know Your Business ROI?  Business ROI, or return on investment, is a tool used to measure the profitability of your business based on your various costs and the profits generated by these investments. The performance of the business ROI can also have an assortment of implications on the different aspects of your business.   A positive ROI indicates that an investment has delivered welcome profits. But it's more than just a metric used to monitor the feasibility of your business investments. By maintaining a solid ROI, you are also creating positive effects on your total cost of ownership, R…

5 Reasons Why Planning Business Growth Matters

| Business Productivity, Uncategorized | No Comments
When starting a business, it is only natural for the business owner to dream of success and growth for their new venture. But having a dream is not enough. There also needs to be a strategic business plan to ensure that the business will thrive. Unfortunately, many small business owners have the mindset that planning is only for large companies. Some of them don't think that learning business planning skills is necessary. They don't realize that planning for growth is one of the most important things you should do for your business. Here are five tips to help you build…
Business Budget

The Fastest Way to Lose Track of Your Business Budget

| Business Productivity, Uncategorized | No Comments
Business budgeting is a very important part of running a business, regardless of whether you are a startup or an established company operating for years. Creating a budget is not a problem for most business owners. The challenge is sticking to the budget as the business grows and the spending expands. The Problem of Hidden Costs If you are like many owners of small and medium-sized businesses, you probably focus on the services and products you need when making a projection of your business expenses, which is what you should do. However, do you also consider the hidden costs of…