With the advent of digitalization and the proliferation of threats, the concept of trust has become central to many debates in the field of cybersecurity.
Protection was previously focused at the perimeter level, which indeed constitutes the first line of defense: the most protected entry and exit point of a company's network. Hence the importance of having visibility and good control of the data traffic that passes through it.
However, once the perimeter barriers are breached, other technologies are deployed to locate sensitive information to be stolen. So it's not only about guarding the borders but also implementing additional internal protection measures to prevent cybercriminals from circumventing the existing devices through sophisticated attacks.
Thus, perimeter protection, once recognized as the first shield to protect company information systems, becomes insufficient and imposes the need to strengthen logical access control based on usage and user behavior. To do this, certain questions must be asked in advance:
- Who accesses our information?
- From where do users access it?
- For what purpose?
- With which device?
- The answers to these questions form the foundation of the Zero-trust model.
Invented by John Kindervag, an analyst at Forrester, in the context of his research, the Zero-trust concept is defined as a perimeter-less security model that adopts the "never trust, always verify" concept. Its objective is to apply security at the stage of information transmission while minimizing risks.
It is based on access control through parameters such as:
- Security of identification and authentication: which relies on principles like multi-factor authentication, requiring at least two distinct parameters for a user to prove their identity: something they know (login, password, etc.), something they have (smartphone, badge, card, token, etc.), and something they are (fingerprints, iris, face, etc.). For example, we can use the generation of a temporary code sent to an Authenticator-type app to be entered in addition to the password, the insertion of a security card coupled with biometrics, etc.
- Management of access authorization to resources: which involves setting up rules to define access permissions through strict security policies based on need (the justification of access within the framework of the beneficiary's responsibilities) and least privilege (the minimal authorizations for the expressed need), as well as the security prerequisites to authorize said access. Example: access only from a company smartphone, from an up-to-date post with a solution against malware, or from a specific geographic area, etc.
- Logging: It will involve implementing tools to record elements associated with identity to analyze and identify accesses from unusual areas at different times than usual connection hours. These concepts allow for understanding new types of attacks and acting quickly in case of compromise: session theft, identifier theft related to context, threats related to 'infected' devices connected to the IS (computer, smartphone, etc.).
Zero-trust in the Era of Remote Work
With the increase in remote workers and the phenomenon of hosting private applications in the cloud, the zero-trust model turns towards a cloud approach that extends the perimeter beyond the walls of the company.
It is necessary to think about implementing highly scalable security solutions that offer users secure access to applications, as opposed to the network, in order to effectively protect private applications and data against breaches or misuse. Examples include:
- Identity and access management
- Privileged access management solutions
- Strong authentication solutions
- Most companies resort to a Zero-Trust model to benefit from total visibility and complete control over users and devices, which are increasingly accessing cloud applications and data services. These can be applications managed within the company's ecosystem but also unmanaged applications used by certain sectors and individuals of the company or hosted by third parties.
According to Netskope's 2020 report, 53% of companies are convinced of their ability to implement the Zero-Trust approach in their secure access architecture, while 47% of IT security teams do not have the capacity to do so. This highlights the efforts that companies need to make to better secure access to their information assets. 2020 Zero Trust Report - Netskope
Overall, the zero-trust principle represents an important foundation for data and application security within the company, although it should be noted that other blocks can be added to further strengthen security.