You may have heard the term “zero trust.” It’s a useful cybersecurity framework that businesses use to protect their data and infrastructure with rigorous identification standards. But if you’re not a cybersecurity expert you may be wondering, what is zero trust?
In this article, we’ll explore what zero trust security means in a business context and why it’s a useful tool.
What does zero trust security mean?
Zero trust means that no person or device is trusted inside a network by default. The term was coined by Stephen Paul Marsh in his 1994 doctoral thesis(new window), and later referenced by John Kindervag in 2009 when he posited the idea of a zero trust model in his work for Forrester(new window).
In a zero trust environment, a user will be granted minimal access to a system after they verify their identity. A system will never ‘trust’ that a user is who they say they are: it will always verify.
When you use zero trust security, everyone accessing your business network has their identity verified before they can access systems, apps, and data. Access is granted on a one-time basis for each session.
Why is zero trust architecture necessary?
To understand the concept of zero trust, we need to first understand perimeter security.
To protect your business networks, you set up perimeter security. Picture your network as a walled city. The wall ensures that every visitor can be granted access through a checkpoint manned by a security team. That perimeter could be a firewall, or an intrusion detection system that monitors your network traffic. Historically, that checkpoint is often a static password.
With the concept of zero trust security, Marsh and Kindervag addressed the growing issue of insufficient network protections. Business network environments used to be configured with a single perimeter, which didn’t protect them against insider threats. If a malicious actor was able to gain access to a business network via malware(new window) or ransomware, few measures were able to detect and prevent them.
Today, it also isn’t sufficient to grant access to all business networks with a single perimeter. Many business networks work in the cloud, on local devices, or some mix of the two. Employees might be accessing business networks from different locations or personal devices. A single barrier isn’t sufficient protection for a large and varied infrastructure like those used by businesses of all sizes today. The focus must be shifted from a single perimeter protecting business networks to an access-based consideration of every user and every login attempt.
How does zero trust security work?
Zero trust has become a popular framework in recent year thanks to the rise of the cloud and hybrid working. Many organizations and governments have written guidelines and deployment regulations for a zero trust model. In 2020, the National Institute for Standards and Technology (part of the U.S. Department of Commerce) released a Special Publication titled Zero Trust Architecture(new window). This document explains zero trust and gives examples of deployment models and when zero trust architecture can benefit an institution.
According to National Institute of Standards and Technology guidelines, the core components of implementing zero trust include:
- Treating all services and sources of data as resources along with employee devices
- Securing communication irrespective of location or device
- Access to each individual resource is granted on a per-session basis
- Dynamic access: when verifying an identity, a network must look not only at an employee’s credentials, but the state of their device, their previous behavior, the time and date of their access request, and any other attributes deemed relevant by the organization.
- Assets should be regularly assessed for any breach and should not be assumed to be secure at any time
- Additional login security factors, such as multi-factor authentication, enforced security policies, and identity access management, must be used to verify identity
- An organization must assess and re-evaluate its security protocols regularly, collecting data and using it to improve its cybersecurity
With all of these factors in place, zero trust security can be established.
How to implement zero trust security within your business
Now we have a framework for how to understand your business resources, what to implement in terms of identity verification, and how to treat your network. Let’s break down the three key places to start if you want to implement zero trust security:
Set up your threat detection
In order to understand the potential vulnerabilities in and threats to your business, you need to create a live feed of potential threats. This is something you may have done already if you’ve created an incident response plan. Once you’ve mapped out all of your data, applications, assets, and services, you can set a threat detection system in place.
Monitoring your network and system activity logs both give you insights into who’s accessing your business resources. Ideally you should be able to monitor IP addresses, attempted and successful logins, and event types. Proton Pass for Business offers Activity logs for admins: security events is visualized and managed.
Implement identity verification
A large part of zero trust is identity verification — that is, making sure the person attempting to access your network is who they say they are. There are different methods you can use beyond a traditional password that can improve your network security. The first is multi-factor authentication (MFA). By asking an employee to verify their identity using a secondary characteristic such as something unique to only them (such as a fingerprint) or something they have in their possession (such as their mobile device), it’s much harder for a malicious actor to be granted access to your systems. Proton Pass for Business allows you to enforce mandatory MFA for all employee accounts.
The second is enforced data access policies. Zero trust security operates on the principle of least access, which dictates that any person should have access to the minimum resources they need to do their job. Access is granted on a per-session basis, meaning they’ll have to re-verify their identity every time they begin a new session. Granting access to more resources than a person needs creates more vulnerabilities within your network. Within Proton Pass for Business, you can de-activate data sharing outside your organization using team policies. This prevents your data from being externally shared and eliminates the need for you to monitor outgoing data manually.
Behave as if there’s already been a breach
This step is more of a shift in mindset than a specific instruction. The idea behind it is to treat every asset in your organization as if it has already been compromised. This helps you to understand the importance of restricting unnecessary access, as well as minimizing any real potential damage. An excellent way to segment your assets safely is to use end-to-end encryption to protect all of your data.
Proton Pass for Business, as well as the rest of the Proton environment, offers end-to-end encryption that’s regularly battle-tested and entirely open-source. This encryption prevents your data being accessible to anyone who isn’t verified, and even the Proton servers themselves. Zero trust security requires a robust and thorough approach to privacy, which Proton has always offered as a matter of principle.
Set up zero trust security with Proton Pass for Business
Keeping up with a network that spans the cloud, multiple apps, and multiple devices has made running a business easier but more precarious. To protect your business, Proton Pass offers you a single tool to store, manage, and autofill business data. Using a strong password generator and a built-in 2FA authenticator, employees can significantly improve your security without direct intervention required. Every employee must be responsible for making zero trust security work, and the perfect tool to help them do this is Proton Pass for Business. Find out more about our plans.
