As cybercrime threatens businesses of all sizes, industries and locations, organizations have realized that the status quo is no longer tenable and that implementing zero trust is necessary.
Zero trust is a security model that can be summed up as “Never trust, always verify.” In other words, whether a connection to a system or data is attempted from inside or outside the organization’s network, no access is granted without verification.
Many companies may promise zero trust but it can’t be achieved with a single technology or solution. Rather, it’s a holistic approach to security that needs to be adopted by an organization in its entirety, relying on a combination of technology and governance processes to secure the IT environment. For it to be effective, there needs to be technology and operational change at every level of the organization.
To adopt a zero trust model, keep these four tenets in mind:
For all forms of computing, on-premise or in the cloud, the physical data center still represents the epicenter of customer data. More importantly, it also represents the first layer of defense against cyber theft.
The first piece of physical security includes on-site monitoring of the data center, such as 24/7 cameras, professional security teams patrolling the site, and locks on cages to prevent unauthorized access to the hardware within the racks.
Next, access to all facilities must be controlled via an approved access list. This means each individual on the list has a photo and biometrics on file linked to their access card; to enter a data hall, an approved user must swipe their access card and validate their biometrics before being granted access.
Key environmental elements such as power, cooling and fire suppression must also be secured to enable systems to remain online in the event a power failure or fire is triggered.
Logical security refers to the various layers of technical configurations and software that, combined, create a secure and stable foundation. In reference to layers, logical security is applied at the network, storage, and hypervisor layers.
At the network layer, no two network segments behind the customer’s firewall should overlap or interact in any way. By combining a secure perimeter with network isolation behind that perimeter, an organization’s network traffic is dedicated and invisible to any other customer across the platform.
For storage platforms, the concepts of segmentation, isolation and secure demarcation are continued.
Finally, don’t forget about the hypervisor. Like networking and storage, logical segmentation is implemented to avoid problems with contention, often known as “noisy neighbor.” By ensuring resources are logically allocated to individual customers, that resource is marked for their usage within their private environment.
No security solution, whether physical or logical, is effective without trained and experienced people. If the people managing the system don’t understand or know how to work within the controls established to protect the various systems, the solution will fail. Quite simply, you wouldn’t spend thousands of dollars on a home security system, but then leave the keys to your house sticking out of the lock on the front door.
Security processes begin before an employee even joins the company with a background check before starting employment. Once employed, all staff should undergo security and compliance training as part of their onboarding process, and ongoing training at least every six months.
To operate with a zero trust model, enforcing “access denied” unless proven otherwise is a key step. Access is granted through a role-based access control (RBAC) model, providing specific individuals access based on their function. In addition to RBAC, privileged accounts are configured to operate with two-factor authentication. This is an elevated level of authorization required to access critical systems. In addition to current authorization, all employees are subject to regular access reviews to determine and ensure they still need access after changing roles, teams, or departments.
More general process oriented (i.e., non-user specific) security activities include annual penetration testing and regular patching schedules for all systems.
Lastly, the processes and systems in place must be regularly reviewed and audited to ensure regulatory compliance and adherence to the company’s security standards. In highly regulated industries, such as financial services and healthcare, this is especially important.
Whether your organization is pursuing zero trust now or in the future, the various physical, logical, process and audit elements above can serve as a starting point to keep your data secure.