The 3 steps to achieving Zero Trust

Geoff Schomburgk explains how Zero Trust can stop data breaches and sensitive information falling into the wrong hands – plus the three steps businesses can take to keep themselves safer online.

Imagine going to Countdown or Four Square and thinking that everyone in the store is potentially going to attack you and could not be trusted? They could pose a risk to your well-being. It’s a sobering thought and having experienced the pandemic, a feeling that we’re all too familiar with.

That’s exactly how Zero Trust works in an online environment, it’s designed to stop data breaches and sensitive information falling into the hands of ‘malicious actors’. The heightened cybersecurity risks faced by New Zealand organisations as a result of the ongoing hybrid work environment, and the accelerated move to the cloud, has seen Zero Trust come of age during the past year.

While the concept of Zero Trust has been around for a while and in many organisations, Zero Trust initiatives are well underway with the goal of protecting the company’s most important assets, it still means different things to different people. There may be many roads to Zero Trust cutting across the network, identity and access control and the array of definitions or ways to get there are dizzying.

“Basically the Zero Trust framework implies that an organisation should trust no individual or thing unless properly verified before being given access to the network and data.”

The IT network believes everything that comes from outside or within the system is hostile. Zero Trust means you can’t trust anything, not the user, not the computer, not the communication. Basically the Zero Trust framework implies that an organisation should trust no individual or thing unless properly verified before being given access to the network and data.

Organisations have to validate and authenticate every user who is entering the network. They have to install monitoring agents on every endpoint. They have to validate that the device is trustworthy and provide attestation. Systems have to expire a user’s session and make them re-authenticate frequently. Doesn’t that sound like a horrible user experience? It can be if not approached with not only the organisation’s security in mind but the user experience as well.

1. Identity is the first line of defence

Identity is arguably the first line of defence to a strong cloud security foundation and one of the most challenging things to get right for security teams. But just deploying identity elements does not mean an organisation has met the strategic goals of Zero Trust.

The concepts behind identity management are far more advanced than what most organisations are actually capable of understanding from a cybersecurity perspective. Dynamic and strong multi-factor authentication (MFA), protecting user credentials and protecting devices are all essential components of a Zero Trust architecture.

The Zero Trust model involves having a strong level of trust in the authentication mechanisms of every user from every device attempting to access company resources, whether inside or outside the network perimeter. Adopting strong authentication as a core building block of a Zero Trust strategy will jumpstart the security posture of the organisation with strong identity management and authentication.

2. Use Multifactor Authentication (MFA)  

Modern MFA, which relies on something you know and something you have to log you into an account, is part of strong authentication and can prevent network access with stolen passwords. Strong authentication using modern MFA enables phishing-resistant user authentication before access is provided. Basic MFA methods such as SMS, authenticator apps and the like have been proven to be highly phishable.

If a user is using these methods to verify their identity and enter the network, the account can be compromised allowing for the attacker to gain a foothold that leads to lateral movement that can be difficult to find. As a result, we are moving away from symmetric based secrets (passwords, OTP) to more advanced asymmetric solutions that are bound in physical devices.

In order for it to be a secure Zero Trust framework, user accounts should be established using modern MFA, using purpose-built hardware security keys that deliver the strongest levels of phishing defence and secure user access. With hardware security keys using modern authentication protocols, users can register one single security key to hundreds of services with a unique public/private key pair generated for each service and the secrets are never shared between services. And the private key is stored in the secure element on the hardware key and cannot be exfiltrated.

Using this approach, hardware security keys will stop remote and phishing attacks as only the registered service is allowed to initiate the authentication unlike SMS or any mobile app authentication, man-in-the-middle attacks and malware.

3. Use a device for authentication

In the Zero Trust world that we now live in, especially during and after the pandemic where work-from-home and hybrid work policies have become the norm for many organisations, CISOs need to work out how to enable a Zero Trust architecture without hampering user productivity as they embrace remote work and cloud applications.

While the benefits of Zero Trust are obvious, the actual implementation a few years ago seemed like an inconceivable concept. But now, Zero Trust is starting to become a reality for many large organisations due to the heightened security risks.

A hardware security solution supports the “Trust nothing, verify everything” Zero Trust approach with strong user identity and device authentication. They are purpose-built for security and designed to stop phishing and other forms of account takeover in their tracks, delivering strong authentication at scale.

Geoff Schomburgk (pictured) is VP for Australia and New Zealand at Yubico.