What is Zero Trust Security? Principles of the Zero Trust Model

By: Craig Cook
27th January 2023
Image

For decades, enterprise security controls have been described as castle-and-moat security, which means the perimeter should protect everything within its bounds, so everything inside is trusted by default. But, with the proliferation of cloud applications, devices, and logins, castle-and-moat became no longer reliable.

In fact, according to a McAfee survey, the average enterprise company uses over 1900 different cloud services, and the employee uses 36 different Saas apps.

Image
Illustration of a computer, a stylised cloud and the Catapult company logo.

And the growing adoption of mobile devices, remote work, and BYOD (bring your own device) in the workplace has complicated the handling of work and personal data. Such change in corporate technology space brought the need for a new approach to workplace security. The increasing usage of external devices has amplified the necessity of security perimeter outwards. Zero Trust is a new security model that can combat all the challenges in the modern workplace. Enough of the introduction. Let's answer all questions you might have about zero trust security.

What is zero trust cyber security, and what are the primary principles?

Zero Trust is a framework that guides an organisation to protect every endpoint for every user within a company rather than relying on one large perimeter. It works with strong identity and authentication processes and access controls to secure sensitive data and systems.

The primary principles of Zero Trust are:

  • Never trust and always verify: If you acknowledge that you can no longer assume trust within the network perimeter, do not trust anything on or off your network.
  • Regardless of a user's network location, granted access is based solely on the identity and device of the user.
  • In a zero-trust environment, consistent authentication and authorisation checks are the key to maintaining security. Access controls are dynamic and should be verified at all times.

What is zero trust network access, and how do you implement it?

With Zero Trust, we move from a trust-by-default perspective to a trust-by-exception one. Finding threats and responding to them becomes more manageable with an integrated capability. Automatically manage exceptions and alerts. And you can prevent or block undesired events across your organisation.

How do we get started with Zero Trust? First - Identity authentication, the foundation of a zero-trust security strategy. Establish a solid authentication process, centralising user and group directories, tracking, and managing all users across your systems in one place. When employees join or leave the company, the directory should be updated once, and then appropriate access automatically propagates.

Introducing enchanted authentication processes such as 2FA (two-factor authentication) or MFA (multi-factor authentication) strengthens security, reducing the chances of bad actors being successful with phishing, social engineering and password brute-force attacks and helping to ensure that your data stays safe.

OpenID Connect & OAuth is an authentication protocol, that is widely used for authentication services to provide end users with tokens. These tokens are issued on successful authentication and passed by the client to the web services they are using. The token is then used to gain appropriate access. Tokens have a lifecycle and expire and then need to be refreshed by the provider when required.

How to manage device authentication?

Most users typically access their work applications with many different devices. Then how does Zero Trust model make sure of security? The first step is to identify the risk associated with each platform and decide on the security measures for each platform. It defines how each device is monitored and authenticated. Many organisations establish standard levels of security requirements for common device types.

The first step is to identify the risk associated with each platform and decide on the security measures for each platform. It defines how each device is monitored and authenticated. Many organisations establish standard levels of security requirements for common device types.

What is access management in Zero Trust?

Access controls are an important part of risk management assessment and contribute to the long-term implementation of Zero trust. Zero trust approach is unique because it supports the idea that an employee should only be given the minimum access and permissions needed to do their job. Risk is minimised by limiting access in this way. Let’s say an attacker gains access to the credentials of a user in marketing. With access management, they cannot gain access to any data or information outside of that user’s specific role.

Image

Granular, role-based access and permission levels ensure that an employee’s access is restricted to the tools and assets required for their job. These should be defined for each role within the organisation, and the level of granularity needed 

for the team will be decided based on the breadth of access needed for collaboration across teams. Once these role-based access levels have been defined, you can begin to plan out the controls needed for each system.

Conclusion

Implementing the Zero Trust security model is not a simple job. It can take a considerable amount of time and effort, but the benefits are significant. According to IBM, the average cost of a security breach is $3.92m. So beginning to execute Zero Trust Security is the key to securing your sensitive company data, especially with the proliferation of cloud applications and user identities. Atlassian cloud secures access with the Zero Trust framework so you can safely collaborate with your colleagues without having to worry about losing your work or data. Not to mention work efficiently with all the variety of toolsets it offers. If you want to learn more about Zero Trust Security, download this white paper. Or, if you want to learn more about our Atlassian support, visit this page or contact us.