Who Ya Gonna Trust?

There’s more and more being written about zero-trust cybersecurity protocols. According to the National Institute of Standards and Technology (NIST), zero-trust is:

an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources … [It] assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location … or based on asset ownership … Authentication and authorization … are discrete functions performed before a session to an enterprise resource is established [as] a response to enterprise network trends that include remote users, bring your own device (BYOD), and cloud-based assets that are not located within an enterprise-owned network boundary.

First Things First

Zero-trust is a means of ensuring safety and security are being considered first, and the odds are being stacked in favor of your remaining protected. If someone mentions zero-trust to you, it’s likely they’re meaning to suggest:

1. Explicit verification. That means users and devices must be authenticated and authorized before being granted access to resources. This includes strong authentication methods such as multi-factor authentication (MFA).
2. Least-privilege access. The right to access rights resources are granted on a need-to-know basis, ensuring users and devices only have access to the specific resources required to perform their tasks.
3. Micro-segmentation. Networks are divided into smaller segments to limit the potential effects of a security breach. Each segment is protected with its own set of access controls.
4. Continuous monitoring. Vigilant security monitoring and traffic logging are essential components of a zero-trust architecture, detecting breaches and initiating responses to potential threat in real time.
5. Assuming breaches. Zero-trust assumes threats exist inside and outside the network perimeter (because they do). All network traffic, including traffic between internal resources, is inspected and monitored for potential threats.

Implementing a zero-trust security model requires a combination of technology, network segmentation, encryption, security analytics, policies and procedures to enforce access controls and to look for suspicious activity, and consistent training.

We’d be remiss if we didn’t mention the right managed IT and cybersecurity partner can be invaluable, as well. That’s why we’re here - Rhodian.

Who ya gonna trust?