Thinking your organisation is at less risk of a data breach is one of the biggest mistakes any business can make when it comes to cyber security.

Organisations are vulnerable to cyber-attacks, especially those that still rely on a traditional hard perimeter or castle-and-moat security system…

Based on implicit trust, the castle-and-moat model basically means anything outside the business network perimeter is suspicious — and anything inside gets the benefit of the doubt.

But the assumption that internal users are inherently trustworthy has resulted in numerous costly data breaches. Added to which, with the advent of so many applications now being in the cloud, the hard perimeter is compromised, the moat has run dry!

Introducing: zero trust

In its simplest form, zero trust means nothing is trusted until verified.

Rather than assume all authenticated users are trustworthy, the zero-trust approach continuously verifies their identity and treats all access requests as if they originate from an unsecured open network.

Every user, device, service or application is connected — and gaining access to private data means first being authenticated with risk-based measures like multi-factor authentication (MFA).

When using MFA, users must pass a few verification tests — for example, by providing a password, one-time passcode, fingerprint or face ID — before being granted privileged access.

Essentially, the aim is to make life as difficult as possible for hackers.

Levelling up your data security

For too long, businesses have relied solely on virtual private network (VPN) firewalls to build fences around corporate networks.

On the surface, VPNs may seem like a sensible solution to the increasing need to gain secure remote access for all users and endpoints at your company. They allow you to funnel access through a private connection over an unsecured network, encrypting the user’s online activity.

However, the problem with VPN security is that it uses a policy of implicit trust when it comes to network access — and only takes one compromised user for a bad actor to cross the proverbial moat and steal your sensitive data. And as we saw with the Colonial Pipeline data breach, the consequences can be devastating.

So, how can you establish a zero-trust architecture within your business to help keep these cyber threats at bay? First, you need to understand the crucial principles of the zero-trust model…

Assume breach

Your company should always assume there is a malicious presence inside its network environment and implement security controls like identity and access management (IAM) to reduce the chances.

Never trust

Your organisation must continuously verify all components within its IT infrastructure to ensure they have not been compromised — including reauthorising users and devices whenever they try to access data to prevent hijacked accounts, devices and sessions from going unchecked.

It is also essential to continuously monitor and enforce the health and configuration of all enterprise assets, such as business devices, applications, services and endpoints.

Least privilege

No matter how technically skilled or trustworthy your team is, they should only have access to the network resources needed to do their job.

Limiting who can access your critical business systems reduces the risk of accidental or malicious data leaks — either from the users themselves or by sneaky attackers who take over their credentials.

How to implement reliable architecture

So now that you have a sense of zero trust and its operating principles, how can you kick them into gear?

Monitor your network traffic

Visibility is crucial in order for users and machines to be verified and authenticated…

Each corner of your business should be monitored, including on-premises and cloud environments — and 24/7 monitoring will allow you to identify events requiring an instant response.

Also, around-the-clock monitoring can increase awareness of your employee’s actions. Is anyone trying to access files outside their working hours? Has a team member downloaded a suspicious application?

Keep devices updated

Running outdated software and hardware makes it difficult to implement the latest security measures, such as two-factor authentication or encryption, leaving your business vulnerable to data breaches and cyber threats.

The easiest way to keep up with software updates is by automating updates where possible — a ‘set-and-forget’ option that updates your software as soon as it becomes available.

Partition the network

Micro-segmentation breaks up the network into smaller chunks to ensure breaches are contained before they can spread.

Think of a large ship. Ships are often divided into compartments below deck, each watertight and sealable from the rest. Even if a leak fills one compartment with water, the rest remain dry, and the ship stays afloat.

By dividing the network, even if one segment becomes compromised, it is less likely to impact the rest of the network.

Apply least-privilege access

By employing IAM programmes, your business can set controls that give secure access to employees and devices — whilst making it as difficult as possible for outsiders to get through.

Without IAM, data breaches can run rampant. Not only is it difficult to manage who has access to your organisation’s systems, but it is also tricky to revoke access from a compromised user.

Applying these steps to adopt a zero-trust approach may sound complex, but building a robust cyber security strategy is essential to keep your business safe from the inside out…

With leading technology solutions and zero-trust security strategies, Burning Tree’s consultancy services can help you identify weak points in your current cyber security strategy — or implement an entirely new one. Contact us today at 01252 843014 or email info@burningtree.co.uk to discuss our cyber security improvement services for your business.