Skip to main content
Arrow Electronics, Inc.
Businesspeople_Walking_Across_Square_With_Suitcases
Article

What is zero trust?

January 11, 2022 | Mark Rooney

What is Zero Trust?

While at first glance you may think Zero Trust is a product feature, it is in fact a philosophy that can be used to improve a company’s overall digital security by eliminating the concept of trust from the network architecture of the business. Zero Trust is not about making a system trusted but instead, it is about eliminating trust. In practice, this would involve verifying each user before providing them granted access to any resource. All user requests, whether internal external, would require authentication, authorisation, and encryption in real time. Simply put, Zero Trust follows the principle of “never trust, always verify”.

As per Microsoft’s 2021 Evolving Zero Trust Whitepaper, the core guiding principles of a successful Zero Trust strategy have been proven through real-life deployments. These are:

  • Verify explicitly: Always make security decisions using all available data points, including identity, location, device health, resource, data classification and anomalies.
  • Use least privilege access: Limit access with just-in-time and just-enough-access (JIT/JEA) and risk-based adaptive policies.
  • Assume breach: Minimise the blast radius with micro-segmentation, end-to-end encryption, continuous monitoring, and automated threat detection and response.

Why is Zero Trust more important now?

With COVID-19 came changes to the way many companies operated, with an accelerated adoption of cloud and remote working technologies. In conjunction with the growth of IoT, this has resulted in an increasing number of devices connecting to company networks remotely. With this rapid adoption has come an increase in companies' vulnerability to potential data breaches and with the average cost of a Data breach rising from USD 3.86 mil in 2020 to USD 4.24 mil in 2021, lacking an effective Zero Trust model is no laughing matter.

"There are many examples of where a zero touch philosophy may have helped prevent or at least given vision into breach events. For example most  RDP attacks, including “BlueKeep”, could be avoided with SSO logins, password and device management." - Mark Rooney, Sales Engineer, Arrow ECS ANZ

Instigating a Zero Trust policy now needs to consider users accessing critical applications and workloads from any location, device and endpoint. An effective Zero Trust policy cannot be dependent on a location and must span your business’ entire environment, ensuring that only the right users have access to the right applications and data. Guaranteeing this requires consistent visibility, enforcement and control that can be delivered directly on the relevant devices or through the cloud.

How do I implement zero trust?

When it comes to implementing a Zero Trust strategy for your business, it does not necessarily have to be costly or need to completely overhaul your existing architecture.

"Assessing the company workforce locations, applications and network access requirements is one of the first places to start when determining a zero touch philosophy for an organization. Assessing your current security infrastructure and its capabilities and weaknesses in relation to those requirements will then help guide as to what infrastructure is needed to build the Zero Trust strategy" - Mark Rooney, Sales Engineer, Arrow ECS ANZ

Ensure the company has a clear “Security Policy” as a reference and plan implementation in achievable steps.

Example of achievable steps

Step 1: Ensure all users use Username/password as well as a 2nd factor authentication like OKTA, DUO

Step 2: Limit Application Access per user, typically deployed using groups. There will be different access required from different users for the same Apps. Ensuring use of least privilege principles.

  • Ensure Application Administrators and Developers access to Applications is very secure. This may include enhanced 2FA or MFA.
  • Ensure all transactions are tracked and validated to ensure no Malicious code or activity, including data exfiltration.

Step 3: Access to Infrastructure.

  • Ensure Access to Infrastructure is no more than required.
  • Ensure 3rd Party Access to Infrastructure is secure. E.g. external providers including WAN provider(s).
    • Ensure micro segmentation is used where necessary. For example segmentation to separate HR application is completely isolated from developers.

According to security vendor Palo Alto Networks, there are 5 steps that can help to guide you in deploying, implementing, and maintaining an effective Zero Trust strategy. These are:

  1. Define the protect surface
    Defining the protect surface, which is the sensitive data, assets, applications, and services you need to protect, is easier and more identifiable than trying to identify the attack surface, as what you need to protect is knowable. Elements of your protect surface could include:
    • Business and end user data
    • Off the shelf or custom software applications
    • Assets including POS terminals, manufacturing, or medical equipment and IoT devices
    • Services such as DNS, DHCP and Active Directory

  2. Map transaction flows
    Zero Trust is a flow-based architecture, and it is when you understand how your systems are intended to work and how various components interact with one another, that you will be able to determine where you need to insert controls. Outlining even an approximate flow map of how traffic moves across the network, specific to the data in the protect surface, will help determine how it should be protected.

  3. Build a Zero Trust architecture
    A Zero Trust Architecture is unique to each individual business and is dependent on your own organisation’s protect surface and component interaction flow. When building your Zero Trust architecture it is essential to remember that Zero Trust is not only about access control, but also involves ensuring that all network traffic is inspected to identify malicious activity. This involves multiple integrated security services, including intrusion prevention systems (IPS), sandboxing, URL filtering, DNS security, and data loss prevention (DLP) capabilities. 

    "Working with an IT distributor such as Arrow allows for businesses to access the most ideal solutions and products from a large variety of vendors which can then be used to tailor a complete custom zero trust security solution." - Mark Rooney, Sales Engineer, Arrow ECS ANZ

  4. Create a Zero Trust policy
    A Zero Trust security policy focuses on creating allow lists. Rather than focusing on potential risks and threats which are increasing in size and variety, your focus should be on what is allowed as this is able to be known. The Kipling method serves as an effective guide, especially for Layer 7 Firewalls which require more granular enforcement. This is the methodology of identifying the who, what, when, where and why. You will need to identify who your users are, what applications they need to access, when and how they intend to access and connect to these applications, where the packet’s destination is and why it is trying to access a resource inside the protected surface.

    By taking such a methodical and granular approach to policy enforcement, you can help ensure that only known allowed traffic or legitimate application communication is given permission.

  5. Monitor and maintain the network
    In the final step of implementing Zero Trust, you will need to review and inspect all internal and external operational logs with the core focus to be on the effectiveness of the operational aspects of zero trust. Inspecting and logging all traffic is essential as it provides valuable insights on how to improve your network over time, allowing you to maintain and improve your Zero Trust architecture.

Now that you have a basic understanding of Zero Trust and how to implement it for your business, you are able to begin your journey to enhancing your customer's business security. However, when it comes to implementing Zero Trust, this is a job you do no have to do alone. Distributors such as Arrow are able to assist your customers to create a zero trust deployment strategy. By connecting you to the most ideal products and vendor solutions, you are able to utilise customised strategies and blend of security solutions to create a Zero Trust Architecture that is made to function for your customers’ business.

From Firewalls and Endpoint Management to user identification, authentication and anti spam/phishing technologies, Arrow has access to leading security vendors who provide the solutions and technology to implement a Zero Trust Architecture.

To find out how Arrow can help you build your customer's Zero Trust architecture, training and on going support, get in touch with us today.