Trust nothing, plan for everything

Access & Identity Management Handbook 2022 Access Control & Identity Management, Information Security

Zero trust is a strategic and intelligent approach to the growing cybersecurity threat. According to Statista, organisations are rapidly moving towards zero trust frameworks as they offer measurable benefits in terms of increased compliance, faster threat detection and improved protection of customer data, among others. The approach allows for organisations to take an holistic approach to security by removing the idea of trust and interrogating every touchpoint and interaction to ensure that systems and individuals are secure.


Henk Olivier.

There are many different approaches and ideas around how to implement and fully realise a zero-trust model, but they all boil down to the same principle – every user and employee isn’t only authenticated when they access data or systems, they are authenticated constantly. And their authentication process is then authenticated and verified using multiple authentication and verification methodologies. A chain of security that loops back and within the business to ensure that every identity and point of access is genuine and verified.

Another reason why zero trust has become so invaluable to the organisation is because of digital. Digital transformation has accelerated exponentially over the past two years, for obvious reasons and organisations have had to rapidly evolve their systems and security to keep up. Most companies adopted cloud technologies to ensure they could continue working with customers and employees that were now all working from home. The entire business model shifted on its axis as hundreds of people in the office using one network suddenly became hundreds of networks accessing the office. And this dynamic hasn’t changed even now as many companies are moving towards hybrid models of working.

Losing sleep

For security teams, this has been an ongoing concern. Most lay awake at night. Many still do. The rapid move to online and hybrid working models has opened vulnerabilities within systems that were not prepared. Many are still trying to find reliable and robust ways of ensuring that systems and data remain secure. The biggest challenge for most companies has been to have security and authentication – ensuring that every user on any device from any location is verified and authenticated – embedded at every touchpoint with the same standards.

However, data encryption is not easily accessible for many companies and many don’t ask that users connect to specific tools in order to get authenticated because they haven’t the budget or manpower to implement tools that monitor and manage user access. Often, companies have allowed their employees to work without authentication which introduces a significant risk when it comes to data transfer and data movement auditing. This is further complicated by the growing number of regulatory bills, worldwide, that hold companies responsible for a breach.

The Protection of Personal Information Act (PoPIA) has come into full force and joins other international acts such as General Data Protection Regulation in Europe (the benchmark of robust regulation, globally), the California Consumer Privacy Act (CCPA) and Brazil’s Lei Geral de Proteção de Dados (LGPD). Companies can no longer leave their security lying about on the ground for anyone to pick up and break. Now, they have to show a full track of data movement and data auditing and they have to report on all the data movements of the company. It’s critical to have policies and procedures in place, particularly for companies that are operating within hybrid frameworks.

The zero-trust model

Which is where zero trust comes in. The zero-trust model, based on NIST 800-207[1], includes three key principles. The first is continuous verification where the system is always verifying access, all the time across all resources. The second is to limit the blast radius by minimising the impact if a breach occurs; and the third is to automate context collection and response and to incorporate behavioural data for accurate insights and authentication processes.

Zero trust policies rely on real-time visibility into hundreds of user and application identity attributes. These include anything from user identities and types of credentials, to credential privileges per device and endpoint hardware types and functions. Zero trust systems also tick the boxes of: assessing behaviour patterns, geolocation, security or incident detections, application installations on the endpoints, protocol and risk authentication and operating system version and patch level monitoring.

The challenge for organisations is to find a way of embedding a zero-trust model within the chaos of applications and devices that has evolved over the past two years. In the past, companies could lock down devices on the hardware application level, but with software changing and different devices emerging, this is now only one part of the authentication and verification equation. Now, zero trust has to implicate and interrogate every point of authentication and verification throughout the user journey.

Considering that organisations are required to protect their infrastructure and deployment and embed multi-cloud, hybrid and multi-identity functions that include unmanaged devices and legacy systems as well as Software-as-a-Service applications, it’s clear why zero trust continues to gain traction. Security must address key threat use cases such as ransomware, supply chain attacks and insider threats. These continue to lead the way in successful hacks of privileged information and cause immense damage to organisations, reputationally and financially.

Organisations can implement a zero-trust approach incrementally, ensuring that risk is managed effectively within the resource capabilities of the security team and through the strategic implementation of security tools and systems. It may seem a daunting step in a complex direction, but by leveraging tools already in place and by integrating security systems and methodologies that align with the zero-trust model, organisations can embed comprehensive and holistic security into the business.

For more information contact Ozone IT Distribution, +27 10 591 5588, [email protected], www.ozone.co.za

[1] The NIST Special Publication 800-207: Zero Trust Architecture is downloadable from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf or via the short link: www.securitysa.com/*nistzero




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Continuous security optimisation.
News & Events Information Security
Cymulate has announced its partnership with SentinelOne, a threat exposure validation and AI-powered cybersecurity platform. The collaboration delivers self-healing endpoint security that empowers businesses to increase protection for every endpoint on their network.

Read more...
Protect your smart home devices
Kaspersky IoT & Automation Information Security Smart Home Automation
Voice assistants, kitchen robots, smart lights and many other intelligent devices have become part of our everyday life. However, with the rise of smart technology comes the need for robust protection against potential vulnerabilities.

Read more...
ISPA’s take-down process protects from local scams
News & Events Information Security
During the recent school holidays, parents could rest a little easier knowing that ISPA, SA’s official internet industry representative body, is removing an average of three to four problematic websites from the local internet every week.

Read more...
The power of PKI and private sector innovation
Access Control & Identity Management News & Events Government and Parastatal (Industry)
At the recent ID4Africa 2025 Summit in Addis Ababa, the spotlight was firmly on building secure, inclusive, and scalable digital identity ecosystems for the African continent.

Read more...
Biometric security key for phishing-resistant MFA
Products & Solutions Access Control & Identity Management
New FIDO-compliant USB, Bluetooth, and NFC BioKeys with biometric login and centralised management for phishing-resistant, passwordless multifactor authentication (MFA) for enterprise users.

Read more...
SA’s strained, loadshedding-prone grid faces cyberthreats
Power Management Information Security
South Africa’s energy sector, already battered by decades of underinvestment and loadshedding, faces another escalating crisis; a wave of cyberthreats that could turn disruptions into catastrophic failures. Attacks are already happening internationally.

Read more...
Almost 50% of companies choose to pay the ransom
News & Events Information Security
This year’s Sophos State of Ransomware 2025 report found that nearly 50% of companies paid the ransom to get their data back, the second-highest rate of ransom payment for ransom demands in six years.

Read more...
Gallagher Security releases OneLink
Gallagher Animal Management Products & Solutions Access Control & Identity Management
Gallagher Security has announced OneLink, a cloud-based solution that makes it faster, easier and more cost-effective to deploy security anywhere in the world, transforming how security can be delivered to remote sites and distributed infrastructure.

Read more...
Suprema unveils BioStar Air
Suprema neaMetrics News & Events Access Control & Identity Management Infrastructure
Suprema launches BioStar Air, the first cloud-based access control platform designed to natively support biometric authentication and feature true zero-on-premise architecture. BioStar Air simplifies deployment and scales effortlessly to secure SMBs, multi-branch companies, and mixed-use buildings.

Read more...
Continuous AML risk monitoring
Access Control & Identity Management Security Services & Risk Management Financial (Industry)
AU10TIX, launched continuous risk monitoring as part of its advanced anti-money laundering (AML) solution, empowering businesses to detect behavioural anomalies and emerging threats as they arise.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.