Trust no one. If a cybersecurity expert should give an advice to a user or company on how to effectively approach cybersecurity, trusting no one would be the best. The second one would be to always verify who connects to a network and access data, and how they intend to do so.
Briefly, this approach is encapsulated in the concept of Zero Trust, which in the contemporary business landscape is the benchmark in building security architectures. The era we live in has now set aside the concept of the corporate perimeter.
The new habits like working from home, the spread of as-a-Service mode, the increasingly frequent use of one's personal devices for work (the so-called BYOD, Bring Your Own Device), inevitably put users and employees out of corporate control. That concomitantly, affirms the need to not trust anything or anyone; not even those who work for the company itself.
"Talking about Zero Trust doesn't refer to a specific technology but, to an approach designed to address all threats, internal and external," says Davide Telasi, sales account manager for HWG. In fact, it replaces the enterprise perimeter-based security architecture by ensuring the correct application of the access decisions, applied based on several elements: It replaces the enterprise perimeter-based security architecture by ensuring that security and access decisions are dynamically applied based on several elements: the identity of those accessing, the devices they use, and the context in which they are located. The core of the system is based on the rule that only users and devices that are authenticated and authorized can accede to apps and data, protecting them from advanced threats that come from the network."
The dynamic application system
Dynamic enforcement of user access and permissions is the key to the Zero Trust approach, because it allows companies to select only those applications needed by the user himself, and not others. "In this way, the company understands the identity of the user accessing and restricts him to the assigned area, not permitting him further movement," Telasi explains. "Previously, with static policy enforcement, we were limited to verifying that the user was in the LAN perimeter, leaving him the possibility of doing whatever he wanted”.
Dynamism is embodied in the various possibilities for the user to guarantee his or her identity, e.i. by resorting to Multifactor Authentication (MFA), and in the use of advanced technologies that allow the company to monitor authentication and authorisation procedures before providing access, or to protect against threats such as phishing, Zero Day malware and data exfiltration.
Is Zero Trust a technology?
So, when we talk about Zero Trust, we are not referring to a single, specific technology. "No-one will ever tell a company to take this or that package,' Telasi points out. 'The question is about the company's approach and strategies to protect the infrastructure, built around a combination of technologies.
The range is wide, but four pillars can be highlighted without which the Zero Trust approach would never be fully valid. "Multi-factor authentication, the MFA; Identity Access Management, i.e. the set of technologies that enable identity and access management (IAM); Privileged Access Management (PAM); segmentation of the network into many sub-networks to optimise governance and access policies. If I had to point out the essential elements for an effective Zero Trust strategy, I would say these,' says Telasi.
Companies and Zero Trust: a relationship under development
The increase in attacks and cybercrimes leads companies to look more and more at innovative solutions for their own protection. So what is the attitude towards the Zero Trust approach? "The greatest focus is on MFA, the solution most concretely used today," concludes Telasi. "The biggest attack vector for credential theft is phishing emails, and MFA is the easiest and most efficient system for password policy management. Beyond that, however, there is not a 360-degree focus on the entire Zero Trust system, because this touches various areas that often require internal security policies to be revised on identification, on devices to be admitted or not. In short, it is a more complex issue. Even though slow, the awareness is growing".
