We're hiring
The concept of Zero Trust and why you should consider implementing it

Introduction

Cyberattacks have increased in size, frequency and sophistication, causing on average $4.24mn in costs. The rise of cloud computing, the remote workforce following the Corona pandemic and legal frameworks like the GDPR have raised the stakes for organizations to protect their sensitive applications and data. The existing “castle-and-moat-paradigm” that trusts users inside the company perimeter has become obsolete.

 

Zero Trust Security is an omnipresent buzzword in the cybersecurity space. More and more companies are turning to this new security paradigm that has one central tenet: Trust nobody — practice zero trust. Does Zero Trust Security really promise to be the much-needed-answer to the constantly evolving and emerging cyber-threat landscape?

 

What is Zero Trust?

The Zero Trust approach has one central tenet: Nothing inside or outside the company perimeter should be trusted. As a result, every user has to authenticate themselves and their identity with every login every time before they are granted access to company resources, applications and data.

 

The Zero Trust Network or Zero Trust Architecture was originally developed by John Kindervag in 2010 during his tenure as vice-president of Forrester Research. It represents a shift from the prior “castle-and-moat-approach” in which the company-internal systems were protected with firewall as moat. In this outdated approach (not fit for the age of cloud computing and remote working), it was assumed that all users inside the company perimeter act responsibly and can be trusted.

 

As most organization’s IT security concepts and architectures are still based on this obsolete approach, many massive data breaches occur once a hacker/malicious actor had made it into the company perimeter. Zero Trust architecture puts an end to this. It effectively eliminates the concept of trust from the company perimeter.

 

Cloud computing and remote working has brought with it that security must be enforced not only at perimeter but beyond to data centers, cloud, web services and outsourced IT services instead of considering cyber security in silos.

 

The main components of Zero Trust

What then are the components that Zero Trust is made of? Most of these technologies and governance processes have been around for long and are now combined with the mission of ensuring the security of the enterprise IT environment.

 

The starting point is micro segmentation and definition of highly specific perimeters based on data like users, location and additional data points that evaluate whether a user can be trusted and granted access. Both the identity of the user endpoint and their security status must be determined. Users are only granted access based on governance policies that determine who can have access to what.

It is technologies like

  • Multifactor authentication
  • IAM (identity and access management)
  • Orchestration
  • Analytics
  • Encryption
  • Scoring
  • File system permissions
  • Governance policies (give users least amount of access they need to complete their tasks)

.

Where to start

How can companies implement a Zero Trust architecture and where should they start? Generally, organizations need to prepare for a gradual and long-term shift. Especially for large corporations it is going to be a gradual, multi-phase and multi-year-transition. The shift to Zero Trust should become part of the overall transition from legacy systems to the cloud. It should be driven by CISO and CIO to determine what part of the IT environment should be prioritized.

 

Aside from the technological changes and implementations, also the mindset of the staff has to change accordingly. The illusion currently is that the internal IT environment is safe and everything within it is trusted. Instead, security executives have to understand that the malicious actors are already in their IT environment.

 

In order to implement Zero Trust architecture, organizations must follow these 5 chronological steps.

Micro-segmentation (micro perimeter):

  1. Identify the protect surface — the protect surface defines what are the most essential, critical data, assets, applications and services in the company network.
  2. Document transaction flow — identify how traffic in the organization moves, who are the users, what applications do they use and how are they connecting?
  3. Build a Zero Trust architecture — creating a micro perimeter closely around the protect surface through a next-gen firewall that makes sure only known, permissioned traffic and legitimate applications can access the protect surface.
  4. Create Zero Trust policy — Leveraging the Kipling method, these policies answer the questions of who, what, when, where, why and how access to company resources are granted through allowing passing through defined micro perimeters.
  5. Monitor and maintain: Defined zero trust policies need to be monitored ongoingly, e.g. if new elements should be added to the protect surface or some interdependencies have not been taken into account yet.

.

Conclusion

Today’s cyberthreats call for a new security paradigm to protect sensitive data, applications and services in enterprise IT environments. The Zero Trust paradigm eliminates trust from the company perimeter, making it necessary for users to always identify and authenticate themselves before being granted access.

 

More and more organizations are adjusting their IT environment to reflect this approach and it is determined to become the dominant paradigm over the next 3–5 years. While Zero Trust doesn’t require the implementation of specific solutions, it requires the combined implementation of existing technologies around the definition of micro perimeters. The transition to the Zero Trust paradigm should be driven by CISO, CIO and executive board and must be accompanied by a mindset shift.

RESEARCH BLOG

Lets have a look at our other
interesting blog posts

Cryptix launches new venture, Equito to create a new wave of investment opportunities

Switzerland, 30 August 2021: Switzerland-based fintech venture builder Cryptix has unveiled its latest venture, Equito, at Crypto Valley's flagship event, the CV Summit. Read more

Cryptix Group Forms a Successful Joint Venture

It is a coup that had been planned for some time. By involving a group of investors, Bernhard Koch made his Digital Asset Exchange Blocktrade an even stronger part of his emerging ecosystem of Fintech companies. Read more

10 Things You Don’t Want to Hear About Founding a Startup, But Need to

Enough about romanticized growth stories and myths of overnight success! Having been involved in a number of ventures, here’s a no-nonsense breakdown of what founding a start-up inevitably entails. Read more

The difference between Incubator, Accelerator and Venture Builder

“Something about start-ups and unicorns.” While it is true that accelerators, incubators and venture builders all are committed to support startups, they differ in their services and the goals they pursue. Read more

Cybersecurity Prevention for Small Budgets: Holistic Strategies

In our latest article, our cybersecurity expert Alexandre Horvath shows how even small and medium-sized companies can build cybersecure environments - without breaking the budget. Read more

e-Vaccination Certificates: Could Blockchain be the cure?

Currently one of the hottest topics and certainly one we leave to the experts: COVID vaccinations. However, when it comes to potential blockchain solutions for eVaccination certificates, we can't stay quiet. Read more

Anonymity does not equal privacy

Being anonymous: A fairy-tale?! The third part of our privacy series is dedicated to the concepts of anonymity, pseudonymity and security. Read more

The Definition of Privacy

"I got nothing to hide!" is probably the most commonly heard argument when someone is asked about their privacy on the Internet. Read more

Foreword Bernhard Koch: The value of privacy and the lack thereof in modern times

Privacy is the cornerstone of freedom and liberty. In business, as in our personal lives, there are things we want to keep confidential by all means. Read more

Let us support you to
get started with digital payment!

CONTACT

Get in touch

    Full name*
    Email address*
    Subject*
    Company
    Message*
    Check here to indicate that you have read and agree to our terms & conditions.