In the 1990s
There was no concept of Zero Trust Security Model because it was not needed, the only attack vector was physical access. The majority of computing devices were connected to local networks. LANs were considered secure for several reasons, especially for sitting behind a layer of physical security. Most of the connected devices were desktops and had a network wire sticking out their back panel.
You had to be physically authorized to sit in front of a company desktop. You always used services provided through your local network. Most importantly, you had to be vetted to have VPN access and “dial-in” from a remote location.
Back then, if you were listed in Active Directory, you were a trusted user of the network. Unauthorized credential accessing was a physical impossibility except for actual physical intrusions or insider-bad-faith credential injection into AD.
What about now?
Since those early beginnings, technology has progressed in incredible ways. We now enjoy wireless connections, we can use our devices from anywhere outside of the physical reach of the local network, and we connect into services that reside outside of our network.
Each of these advances has brought in a new series of risks, and slowly but surely we patch and change ever so slightly our access rules to try to keep our compliance levels on par with legal requirements. These small changes address main concerns, but unfortunately, leave a host of new questions unanswered. It is time we address all of them with Zero Trust Security.
These days, the notion of a secure corporate perimeter fades into a grey area where physical, mobile, IoT, and transient devices interact with local networks, external services, and distributed environments. The notion of a safe, limited number of devices no longer applies in today’s corporate networks.
What is the Zero Trust Security Model?
Zero Trust Security Model, Zero Trust Security Architecture, or Perimeter-less Security is the approach in which users AND devices are not to be trusted by default. We are all familiar with user authentication: this is the process by which a user confirms their identity to be a trusted one. Active Directory and many other authentication services do user authentication well. Device authentication complements this process and allows us to know that “this user” with “this device” when its integrity has not been breached, is then authorized to access available resources.
Even when connected and previously verified to use a network, devices must prove who they are and why they are connected. You no longer have access to all resources in a network when you are authenticated. Instead, now you (yourself as a user and your device) are authenticated whenever you try to access each resource, even if you had access to those in the past.
Continuous user and device authentication assure us that our resources remain protected. Anyone can follow the set of recommendations, tools, and settings necessary for becoming a Zero Trust Security Model-compliant enterprise.
Can The Zero Trust Security Model Be Used for Small and Mid-sized Businesses?
Yes! BlueKatana can help you with this transition. We can guide and mentor your infrastructure team throughout this transition. We can audit and provide you with a gap report so you know what changes to make, provide you with services, guidance, and mentoring to assist the transition for your team.
Small and mid-size businesses can have an easier transition to the Zero Trust Security Model because they often rely on distributed services that are built with a more modern and secure design. This is not to say that all modern services will support this model, and you still have to tread carefully when transitioning into it.
What if you don’t have an infrastructure team?
Contact us for help and guidance. Look into one of our packages providing CISO as a Service, CTO as a Service, or CIO as a Service. Each of those provides respectively with all the functions that a CISO, CTO, or CIO normally do along with their teams at a fraction of the cost. We can provide you with these functions by time-fractioning these services. You get to choose the fraction/size services you need from our team.