Trust nothing, plan for everything

Access & Identity Management Handbook 2022 Access Control & Identity Management, Cyber Security

Zero trust is a strategic and intelligent approach to the growing cybersecurity threat. According to Statista, organisations are rapidly moving towards zero trust frameworks as they offer measurable benefits in terms of increased compliance, faster threat detection and improved protection of customer data, among others. The approach allows for organisations to take an holistic approach to security by removing the idea of trust and interrogating every touchpoint and interaction to ensure that systems and individuals are secure.


Henk Olivier.

There are many different approaches and ideas around how to implement and fully realise a zero-trust model, but they all boil down to the same principle – every user and employee isn’t only authenticated when they access data or systems, they are authenticated constantly. And their authentication process is then authenticated and verified using multiple authentication and verification methodologies. A chain of security that loops back and within the business to ensure that every identity and point of access is genuine and verified.

Another reason why zero trust has become so invaluable to the organisation is because of digital. Digital transformation has accelerated exponentially over the past two years, for obvious reasons and organisations have had to rapidly evolve their systems and security to keep up. Most companies adopted cloud technologies to ensure they could continue working with customers and employees that were now all working from home. The entire business model shifted on its axis as hundreds of people in the office using one network suddenly became hundreds of networks accessing the office. And this dynamic hasn’t changed even now as many companies are moving towards hybrid models of working.

Losing sleep

For security teams, this has been an ongoing concern. Most lay awake at night. Many still do. The rapid move to online and hybrid working models has opened vulnerabilities within systems that were not prepared. Many are still trying to find reliable and robust ways of ensuring that systems and data remain secure. The biggest challenge for most companies has been to have security and authentication – ensuring that every user on any device from any location is verified and authenticated – embedded at every touchpoint with the same standards.

However, data encryption is not easily accessible for many companies and many don’t ask that users connect to specific tools in order to get authenticated because they haven’t the budget or manpower to implement tools that monitor and manage user access. Often, companies have allowed their employees to work without authentication which introduces a significant risk when it comes to data transfer and data movement auditing. This is further complicated by the growing number of regulatory bills, worldwide, that hold companies responsible for a breach.

The Protection of Personal Information Act (PoPIA) has come into full force and joins other international acts such as General Data Protection Regulation in Europe (the benchmark of robust regulation, globally), the California Consumer Privacy Act (CCPA) and Brazil’s Lei Geral de Proteção de Dados (LGPD). Companies can no longer leave their security lying about on the ground for anyone to pick up and break. Now, they have to show a full track of data movement and data auditing and they have to report on all the data movements of the company. It’s critical to have policies and procedures in place, particularly for companies that are operating within hybrid frameworks.

The zero-trust model

Which is where zero trust comes in. The zero-trust model, based on NIST 800-207[1], includes three key principles. The first is continuous verification where the system is always verifying access, all the time across all resources. The second is to limit the blast radius by minimising the impact if a breach occurs; and the third is to automate context collection and response and to incorporate behavioural data for accurate insights and authentication processes.

Zero trust policies rely on real-time visibility into hundreds of user and application identity attributes. These include anything from user identities and types of credentials, to credential privileges per device and endpoint hardware types and functions. Zero trust systems also tick the boxes of: assessing behaviour patterns, geolocation, security or incident detections, application installations on the endpoints, protocol and risk authentication and operating system version and patch level monitoring.

The challenge for organisations is to find a way of embedding a zero-trust model within the chaos of applications and devices that has evolved over the past two years. In the past, companies could lock down devices on the hardware application level, but with software changing and different devices emerging, this is now only one part of the authentication and verification equation. Now, zero trust has to implicate and interrogate every point of authentication and verification throughout the user journey.

Considering that organisations are required to protect their infrastructure and deployment and embed multi-cloud, hybrid and multi-identity functions that include unmanaged devices and legacy systems as well as Software-as-a-Service applications, it’s clear why zero trust continues to gain traction. Security must address key threat use cases such as ransomware, supply chain attacks and insider threats. These continue to lead the way in successful hacks of privileged information and cause immense damage to organisations, reputationally and financially.

Organisations can implement a zero-trust approach incrementally, ensuring that risk is managed effectively within the resource capabilities of the security team and through the strategic implementation of security tools and systems. It may seem a daunting step in a complex direction, but by leveraging tools already in place and by integrating security systems and methodologies that align with the zero-trust model, organisations can embed comprehensive and holistic security into the business.

For more information contact Ozone IT Distribution, +27 10 591 5588, [email protected], www.ozone.co.za

[1] The NIST Special Publication 800-207: Zero Trust Architecture is downloadable from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf or via the short link: www.securitysa.com/*nistzero




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Enterprise threats in 2023
News Cyber Security
Large businesses and government structures should prepare for cybercriminals using media to blackmail organisations, reporting alleged data leaks, and purchasing initial access to previously compromised companies on the darknet.

Read more...
CA Southern Africa unmasks container security
Technews Publishing IT infrastructure Cyber Security
Adoption of software containers has risen dramatically as more organisations realise the benefits of this virtualised technology.

Read more...
Gallagher to showcase new Controller 7000 single door
Technews Publishing Access Control & Identity Management Products
Gallagher will be showcasing its latest access control innovation, the Controller 7000 Single Door on its stand at Intersec Dubai from 17-19 January 2023.

Read more...
Fast, reliable and secure cloud services
Technews Publishing Editor's Choice Cyber Security IT infrastructure
Security and speed are critical components of today’s cloud-based services infrastructure. Cloudflare offers a range of services supporting these goals beyond what most people think it does.

Read more...
Industrial control systems under attack
News Cyber Security
According to Kaspersky ICS CERT statistics, from January to September 2022, 38% of computers in the industrial control systems (ICS) environment in the META region were attacked using multiple means.

Read more...
Sasol ensures Zero Trust for SAP financials with bioLock
Technews Publishing Editor's Choice Cyber Security Security Services & Risk Management
Multi-factor authentication, including biometrics, for SAP Financials from realtime North America prevents financial compliance avoidance for Sasol.

Read more...
Smart parking management platform
Access Control & Identity Management Asset Management, EAS, RFID
Parket builds a seamless bridge between supply and the ever-increasing, but fluid – and often temporary – demand for parking bays.

Read more...
Visible-light facial recognition terminal
ZKTeco Access Control & Identity Management Products
The SpeedFace-V5L [P] is a visible-light facial recognition terminal using intelligently engineered facial recognition algorithms and the latest computer vision technology.

Read more...
Facial and palm verification
ZKTeco Access Control & Identity Management Products
The ProFace X [P] supports both facial and palm verification, with a large capacity and rapid recognition.

Read more...
Glide Master High Security 90° Sliding Gate
BoomGate Systems Access Control & Identity Management Products
Boomgate Systems was asked to make a sliding gate that can turn 90 degrees. The gate had to offer high security and be vandal-proof.

Read more...