An introduction to Zero-Trust
First mooted in 2010 by research firm Forrester, Zero Trust puts data at the core of an organisation’s security. It relies on organisations knowing what their important data is, where it is at any point in time and how it moves not only in and out of the organisation, but also within the network.
“Historically, one would rely heavily on enforcing security at the network perimeter,” says CommBank Chief Information Security Officer, Keith Howard.
“But as connectivity and interconnectivity has exploded, we’ve needed to shift the way we do security to something that’s much more dynamic.”
At its core, the Zero-Trust model assumes the traditional security perimeter can be breached and that any single layer of defence is likewise, imperfect. By using continual validation & verification Zero Trust aims to make sure that only the right people can access the right data at the right time.
The five steps outlined by Forrester are:
- Identify and classify data and segment data according to sensitivity – logically this allows you to focus energy on protecting your organisation’s most critical information.
- Map how your sensitive data moves around, including any dependencies.
- Design secure zones around different types of data with access limited, strictly enforced and audited.
- Monitor your network to ensure information flows are what you’d expect and are appropriate
- Automate processes as much as possible and continue tuning rules and operations.
How to get started with Zero Trust?
For Zero Trust to work, organisations must first know their own data – what is most critical in terms of business operations, what is most damaging if it were to be leaked outside the organisation, and what would be of use to an attacker in the event of a breach?
It’s then a case of looking at your budget and creating a scaffolding of people, process and technology controls that sit around the information that forms the core of your business.
“For smaller organisations, it’s really about getting the foundations right so that as you grow you can scale without too much complexity, because complexity often is a recipe for security gaps,” Howard says.
Key components include:
- A robust identity platform so you know who your network users are, their role, and what expected behaviour looks like.
- Alongside this sits identity controls for access, such as multi-factor authentication (MFA), which can tier up depending on the criticality of what’s being accessed and the activity being undertaken once access is granted.
- The use of encryption to further secure data.
- Having an inventory of every device an organisation operates, to fully understand the technology footprint.
- Understanding key workflows within your organisation and constantly questioning the protections in place or whether there’s anyway to improve decision making.
- Conducting analysis and reviews of your network records so you can detect and respond to anything that looks potentially nefarious.
“The challenge for organisations as they grow is to orchestrate the various controls in place and make them dynamic,” Howard says.
“How do you look at those controls and change criteria as more information comes to light?”
Another challenge that is constant for organisations is authentication and authorisation of users to try and limit potential damage in a breach scenario.
“This is where the principle of ‘least privilege’ comes in, which combines the three elements of the user, the role they have in the organisation, and what we know about their device in order to ensure what permissions are dialled back to the level required to fulfil their job but nothing more,” Howard says.
What’s next for organisations on this path?
Implemented and orchestrated machine learning will be a key factor in fully implementing Zero Trust, according to Howard, including implementations such as continuous authentication to help mitigate more attack types.
Ultimately though, Howard says what’s important is for organisations to realise that there’s no such thing as being perfectly secure.
“There is no silver bullet. What Zero Trust is all about is making sure we never become complacent, that we never lower our guard.
“If you can imagine an attack, then no matter how outlandish it sounds, the chances are it can happen – it’s just a matter of whether or not an attacker has invested the required time and effort into making it a reality. Adopting that security mindset of questioning the legitimacy of any contact is a critical skill that organisations of all sizes, as well as individuals, should be practicing.”
Our cyber security expert
Keith Howard is Chief Information Security Officer at CommBank. Appointed to the role in 2019, he leads the Cyber division for the Group (including CommBank and Bankwest), responsible for keeping the Group and its customer information safe and secure.
Prior to this appointment, Keith led large cross-functional teams delivering transformational change such as the successful SAP upgrade and previously led the Group’s Customer Engagement Platform delivering powerful customer experiences using machine learning.
Before joining CommBank in 2015, Keith delivered technology transformation programmes and managed global teams across multiple industries including petroleum, transport and software, having lived in both the UK and Asia prior to moving to Australia.