“Zero-Trust represents a cultural shift from network-based controls to identity-based policies and processes”
With a plethora of device types needing to access a network, it is becoming challenging to manage secure access using traditional security strategies and tools. Attackers often bypass conventional access controls, exploiting the common assumption that assets are safe on a ‘trusted corporate network’.
All a hacker needs to do is compromise a single endpoint within a trusted boundary. They can then quickly expand their foothold across the entire network by using reconnaissance, credential theft and lateral movement.
Traditional network controls can block and detect some classic attacks, but they cannot ensure an entire network is trustworthy all the time. Given that networks are often shared with external collaborators, and the devices include corporate and BYOD, the complexity increases the risk.
Shane Sloan on Zero Trust and What it Means
Guilty Until Proven Innocent!
Cyberattacks are at an all-time high. It is a highly profitable business for many, and attackers are becoming more and more sophisticated. Hackers look just like us. It’s not cloak-and-dagger people hiding behind facemasks wearing hoodies.
Hackers use social engineering to trick users, then leverage any gained information to gain further access. Further, human error and system glitches were still the root cause for nearly half (49 percent) of data breaches.
Modern Security requires a different mindset than standing up a DMZ, a proxy, some firewalls, and VPNs. It requires that all access requests be validated on several dimensions and that additional controls be applied when risk is higher.
Imagine a world where you can turn off the VPN, firewall and virtual machines, but have even greater security. All the while assuming all devices accessing your network are untrusted, a potential breach and therefore cannot access company resources until proven otherwise.
With a cloud-first security model that abandons the domain, this is what Zero Trust can offer you. Whether a connection is (or appears to be) from inside your network or an open network, every access request is fully authenticated, authorized, and encrypted before granting access.
Zero Trust includes device attestation, conditional access policies and multi-factor authentication. Rich intelligence and analytics detect and respond to anomalies in real-time.
Every Access Request is Controlled
Risk profiles in a zero-trust environment are managed by controls that can be adjusted by the IT Administrator. They include:
MULTI-FACTOR AUTHENTICATION (MFA)
MFA challenges can be applied to specific device categories. If a device were stolen or hacked, it would still not be granted access without a second form of authentication, which could include mobile push notifications, apps such as Microsoft Authenticator, biometrics, or one-time passcodes through a second factor.
Many employees, even when required to change passwords regularly, take simple measures, for example having a number incremented at the end of the password. Passwords are often shared as well. Your employees’ corporate passwords may be used on an insecure customer service portal that gets hacked, now your employees’ work profiles are at risk.
Further, employees are notoriously bad at spotting and ignoring phishing attempts and are easily tricked into giving away passwords. 32% of confirmed data breaches involve phishing and 53% of users who fall for a phishing attempt will be repeat victims.
MFA eliminates this vector of attack. Employees may be tricked into giving away credentials, but the second factor authentication provides a backstop, preventing breaches. In one study, having MFA turned on reduced account compromises by 99.9%.
JUST-IN-TIME (JIT) AND JUST-ENOUGH-ACCESS (JEA)
Modified security for specific resources ensures that staff can access only the applications or data they are authorized to use, relevant to their role in the business. With Zero Trust, you can limit user access with Just-In-Time (JIT) and Just-Enough-Access (JEA) risk-adaptive policies and data protection to help secure both data and productivity.
GEO-FENCING
Geo-fencing restricts access based on the location of the employee. Access could be limited to use within a city, state, or country. Access can even be limited for some people to the range of a specific Wi-Fi network.
NETWORK-FENCING
Only allowing access from a specific network, whether wired or wireless.
TIME BOUND
The time of login. If login is attempted outside of work hours, for the time zone of the employee, perhaps when they would usually be asleep, this can trigger behavior analytics to prompt a multi-factor authentication request or deny access entirely.
Reduce Your Costs
VPN’s, firewalls, and virtual machines are expensive. They consume a lot of IT resources, including licensing, maintenance, and providing user support.
When combined with Cloud Data, it is possible to eliminate wide area networks (WAN, SDWAN) entirely. For some clients, this can save millions.
Zero Trust works in a post-domain model, and it designed for a cloud-first, remote workforce.
Remote Working is Part of the New Normal
Cloud-based Zero-Trust removes barriers to productivity for remote workers who are having problems connecting to their networks, especially trying to communicate after hours, when IT support is unavailable. Remote access has traditionally been an issue for travelling managers and employees who do not have IT skills, trying to work from hotels or public places such as airport lounges.
It’s Not Easy
Implementing Zero-Trust is not easy, and there can be many challenges along the way. That’s where we come in. Mobile Mentor can assist you in the modernization of your digital enterprise.
Conclusion
Zero Trust is one of the 6 pillars of Modern Endpoint Management. Leveraging it will simplify your IT operations and lead to happier, more engaged, and more productive employees.
We leverage Microsoft 365 technologies to reduce your costs while increasing security and delighting your employees. Learn more by clicking the button below.
