Adopting and Sustaining Zero Trust in Your Real-World Environment (Guest blog by Six Degrees)
How can you use zero trust in a practical way in a real-world environment? The trick is to apply the relevant aspects of this rigorous security approach in a pragmatic way that meets your specific requirements.
Make sure zero trust isn’t a barrier to workforce productivity
When you adopt the best elements of a zero trust approach, you need to make sure that employees can still access the systems, tools and data they need without disruption to their productivity. With hybrid and remote working commonplace and many applications residing in the cloud, there’s a lot of digital traffic from inside and outside your organisation – you need to supervise it closely. But it’s an own goal if your zero trust approach makes it harder for workers to do their job offsite.
Zero trust is a wide-ranging approach, not a software solution
Putting aspects of zero trust into effective practice in your organisation is a strategic activity: it requires careful assessment of your existing data and technology estate and a definition of policies and principles to be applied when you acquire new digital solutions or make changes to your infrastructure.
Adopt key zero trust principles as part of your overall security strategy
In reality, zero trust almost never provides an absolute guarantee of security. That reassuring ‘zero’ we mentioned earlier, implying that nothing can penetrate your digital fortress, is unhelpful in this respect. The aspects of a zero trust approach that you can apply pragmatically will greatly reduce your vulnerability to security breaches and you’ll be better protected against malware, but it’s not inviolable. And its important to know this, to avoid complacency. As in every area of cyber security, criminals are developing sophisticated hacking techniques all the time, so monitoring and responding to the latest threats is as important as ever. Zero trust in the real world does not eliminate all security risks – phishing and exposure of sensitive data can still take place, for example.
Microsoft’s need to protect its global reputation and billions of users makes it a leader in zero trust security. Its approach is one of using zero trust principles to empower employees, rather than to constrain them. That includes allowing workers to use their own devices to access systems, with robust security checks that are quick and easy for users to fulfil. Microsoft recommends single sign-on, multi-factor authentication, password-less authentication and eliminating VPN clients. At Six Degrees, we support this approach.
You need a trusted partner to get the best from zero trust
There’s no one-size-fits-all solution when it comes to zero trust approaches. Every organisation needs to address all its applications and infrastructure, including legacy systems. But there are some key areas of focus when defining and implementing your security strategy that includes the best elements of zero trust:
- Implement a common identity management system
- Apply adaptive access controls
- User-to-application segmentation
- Workload-to-workload segmentation
Zero trust principles form an important part of a strong strategic approach, but in the real world, successful cyber defence depends on rigorous, expert and thorough planning and execution, along with ongoing review and continuous improvement in a constantly evolving cyber security landscape. Working with a specialist cyber security partner to implement and manage practical zero trust protocols gives you access to deep and current knowledge and experience of the approach which can be difficult to sustain amongst your own team.
Help to shape and govern the work of techUK’s Cyber Security Programme
Did you know that nominations are now open* for techUK’s Cyber Management Committee? We’re looking for senior representatives from cyber security companies across the UK to help lead the work of our Cyber Security Programme over the next two years. Find out more and how to nominate yourself/a colleagues here.
*Deadline to submit nomination forms is 17:00 on Tuesday 18 October.
Upcoming events
Get involved
All techUK's work is led by our members - keep in touch or get involved by joining one of the groups below.