The underlying principles of Zero Trust
Mobile Mentor is a global leader in the endpoint ecosystem and Microsoft’s 2021 Partner of the Year. Certified by Microsoft, Apple and Google, their engineers live and breathe endpoint security and work tirelessly with clients to balance endpoint security with an empowering employee experience.
Zero Trust is not another software product you have to buy – it’s a methodology. Mobile Mentor outlines how this modern approach to security in our complex world of hybrid work and BYO technology can support your decision making as an organisation.
According to Reuters, cybercrime has risen by 500% since the start of the pandemic. An estimated 4,000 companies worldwide are falling victim to ransomware attacks every day. Cybercriminals are using this disruption to target healthcare, education and government services, causing havoc to social services and creating a devastating impact on the private sector that powers our economies.
How bad is it really?
US companies incur an average cost of $9 million per security breach, and because insurance underwriters have been hit hard, they’re making it more difficult to get cyber insurance while also reducing coverage and increasing premiums. Since a breach could result in bankruptcy if a company is uninsured, many are seeing their costs soar.
Who can you trust?
In today’s climate, companies are finding themselves hiring and onboarding new employees remotely, often working on personal devices and using cloud applications. Because of this, legacy security based on a network perimeter – or “castle and moat” – approach doesn’t fit anymore. You used to be able to trust your VPN and your passwords, but now they are becoming the weakest link.
Zero Trust is the smart alternative
Without a doubt, trust is essential in relationships but in security, it’s a different story. Trusting nothing – no one, no password, no VPN, no device – until verified is the smart strategy. This is what we mean by Zero Trust.
If a request turns out to be a breach, and the attacker gets a foothold in your network, zero trust limits lateral movement through least privileged access and just-in-time access.
The three principles of Zero Trust
Check devices and identify on every access request. Start by gathering input signals from the person and device. Signals related to user identity might include the user’s Azure AD account, multi-factor authentication, biometrics and whether the user’s credentials are known to be compromised.
Signals related to the endpoint may cover ownership, location and security status of the device. Other factors could be device encryption, anti-virus and compliance with management and security policies.
Assume a breach and build a policy engine
Assume every access request is a potential breach of your network and build a three-pronged policy engine for your decision-making process, consisting of:
Company Policies – Set policies based on risk levels. These can include risks of: user identity, device compliance status, version of operating software, location of user and/or sensitivity of data being accessed.
Threat Intelligence – Every day Microsoft receives over 8 TRILLION signals from its global customer community, putting them in the unique position to detect and block attacks on your company by recognising attack patterns. For an extreme example, read how Microsoft detected and warned Ukraine about imminent cyber attacks in President and Vice Chair Brad Smith’s latest blog post: Digital technology and the war in Ukraine.
Compromised Credentials – Privacy breaches often result in the sale or online publication of user credentials. The good news is Microsoft can detect leaked credentials, so if a user within your company tries logging in with compromised credentials, they can be redirected to a password reset page.
Least privilege access
Limit user access to only the requested resource. The combo of company policies, Microsoft threat intelligence and compromised credentials will mean users will access their destination – or not. Therefore your company data in these destinations – whether Office 365 documents/infrastructure or SaaS/Cloud/legacy/mobile apps – is protected by technologies otherwise known as access control.
It’s a fine line …
Companies can set policies to be as loose or as tight as they wish, but the ultimate key to success is being tight enough to protect your data but not so tight that you compromise your employee experience.
It requires a careful balance between endpoint security and the experience of your users.
Is the juice worth the squeeze?
In this day and age? Definitely.
With Zero Trust, you gain improved security and your company is better equipped to withstand attacks. Security teams can report on key metrics to show threats are being detected and neutralised. This generates leadership confidence and shows a return on investment.
Zero Trust gives employees a better experience, with the ability to work remotely on any device, including their own, and swapping passwords and VPNs for biometrics.
You also lower your costs, with Zero Trust providing the opportunity to simplify your security stack, reduce tech vendor numbers and swap out manual tasks for automation. Your IT team will thank you when they’re able to shift their focus from routine tasks to proactive initiatives.
Get your regular fix of thought leadership from Mobile Mentor by joining their newsletter:
Read the rest of the Zero Trust series to round out your knowledge:
Mobile Mentor is Microsoft’s 2021 Partner of the Year for endpoint ecosystems. Certified by Microsoft, Apple and Google, they work tirelessly with clients to balance endpoint security with an empowering employee experience.
We enable remote teams to be secure and productive. Work is an activity, not a place. We’re a Microsoft Gold partner specialising in modern work technology that enables remote teams to be secure and productive.
The cloud creates new paradigms for the technologies that support the business. These new paradigms also change how those technologies are adopted, managed, and governed. When entire datacenters can be virtually torn down and rebuilt with one line of code executed by an unattended process, we have to rethink traditional approaches. This is especially true for governance. Cloud governance is an iterative process. For organizations with existing policies that govern on-premises IT environments, cloud governance should complement those policies. The level of corporate policy integration between on-premises and the cloud varies depending on cloud governance maturity and a digital estate in the cloud. As the cloud estate changes over time, so do cloud governance processes and policies.