Employees and their devices can connect from anywhere — so companies must protect them everywhere. A zero-trust security model establishes faith in users and devices through authentication and continuous monitoring of each access attempt, and with custom security policies that protect every application.
At its basic level, zero-trust can be summed up as “never trust, always verify”. It is a comprehensive approach to securing all access points across your applications and environment, from any user, device, and location. It means verifying the validity of every access request no matter where, who, or what it comes from, and providing only required access. Adoption of zero-trust can help address common security challenges in the workforce, such as phishing, malware, credential theft, remote access, and device security.
Traditional security approaches assume that anything inside the corporate network can be trusted. The reality is that this assumption no longer holds true, thanks to mobility and the paradigm of BYOD (bring your own device), IoT, cloud adoption, increased collaboration, and a focus on business resiliency. The zero-trust model considers all resources to be external, and so continuously verifies before granting access. This is done by securing the three primary factors that make up the workforce: users, their devices, and the applications they access.
In this way, a zero-trust approach secures access to everything across your entire IT environment. It allows you to prevent a data breach before it happens by enabling policy-based controls for every access attempt to your applications, workloads, and network. With a zero-trust approach, you can gain visibility into who and what is accessing applications and the network, to identify risks and indicators of a potential breach. Finally, you can reduce your overall attack surface, contain breaches, and stop attacker lateral movement by enforcing granular controls – allowing you to segment your network and workloads.
Securing Primary Factor One: Users
Users are the people, such as employees, contractors, partners and vendors, that need access to work applications and systems. Zero-trust requires that a user be given access only to the applications they truly need to do their job — and no more. It also requires that user identities be verified using a method like strong multi-factor authentication, to establish that they are who they say they are, at every single access attempt.
Securing Primary Factor Two: Devices
Devices are the things that are used to gain access to resources. These could be corporate-managed or personal devices (desktops/laptops, tablets, and mobile phones). Under the zero-trust model, devices are checked with every access request to ensure that they meet security parameters, and aren’t introducing risk. Devices should also be monitored over time, to detect potential threats or anomalous behaviour.
Securing Primary Factor Three: Applications
Applications are the tools businesses use to operate. They can be located anywhere — the cloud, in-house, or on physical systems. Application access should be governed by adaptive access policies, created based on the sensitivity of the data in the application. This granularity ensures that access is provided only to users or groups of users who need it, from locations and devices that are trusted.
In short…
With the zero-trust model, you gain better visibility across your users, devices, networks and applications, because you are verifying their security with every access request. You can reduce your organization’s attack surface by segmenting resources and only granting the absolute minimum access needed. Adopting this model provides you with a balance between security and usability. Security teams can make it harder for attackers to collect what they need (user credentials, network access, and the ability to move laterally), and users can get a consistent and more productive security experience – regardless of where they are located, what endpoints they are using, or whether their applications are on-premises or in the cloud.
