What is zero-trust security?

Conventional IT security has always assumed that everything is in principle OK. Security has focused on blocking malicious traffic. Zero-trust security reverses that logic. Everything is suspicious by definition: all network traffic, all data streams, all communication, and so forth. This includes not only what comes from outside the network perimeter, but also all internal traffic. With zero-trust security, therefore, everything is prohibited except what is explicitly allowed.

“In addition, security is developed starting from the user,” says Christophe Crous, Head of Security, Service Intelligence & Smart Networking at Proximus. “That can be an internal employee, but also a customer, supplier or partner.”

In zero-trust security, everything starts with segmentation. That is the splitting of the IT network into virtual parts. The traffic between these parts or segments is controlled with the aid of a firewall. “The user can only move within such a microsegment of the IT environment of a company. From there, he has access only to the applications for which he gets user rights.”

In zero-trust security everything is prohibited except the data traffic that is explicitly allowed.

Christophe Crous, Head of Security, Service Intelligence & Smart Networking at Proximus

Software-defined

The logic behind zero-trust security is not really new. The principle is comparable to that of the blacklists and whitelists that companies sometimes use to streamline the surfing behavior of employees. A blacklist enumerates the domains that are forbidden territory; a whitelist specifies what is allowed. “Previously the application of zero-trust security wasn’t realistic,” explains Christophe Crous. “Microsegmentation wasn’t feasible.”

At the time, an IT environment was static. Once it was set up, there was no intention of constantly making changes to it. Now that IT management is more and more software-defined, much more is possible. “In other words, today the technology allows the entire IT environment to be configured very quickly, cost-efficiently and automatically. That makes microsegmentation as a function of every user feasible.”

Insider threats

And that is fortunate. The need for security has greatly changed recently, because nature of the hazards is constantly evolving as well. “Seven out of ten incidents don’t come from outside, but arise within the company, so-called insider threats,” says Christophe Crous. “Often that happens inadvertently, by the way, because someone clicks on a bad link in good faith.” Besides, an infection – with ransomware for example – often stays under the radar quite a while.

At first, malware often lies low for a while, thoroughly mapping out its victim’s environment. Only then does it shut down the activities of the company affected. “And that can happen to anyone,” says Christophe Crous. “Any organization is a possible target. In recent years we’ve seen incidents at hospitals, factories, hotels, etc. No sector is immune.”

Everyone is a target

Small businesses still assume too often that they are not an interesting target for cybercriminals. “They’re mistaken,” says Christophe Crous. “Ransom can be extracted from an SME or a local government too.” That became clear from the Proximus Cybersecurity Survey. The simple application of a few principles of zero-trust security can quickly make a big difference for those small organizations.

Consider two-step authentication or two-factor authentication, for example, in which the user must give an extra confirmation that he receives via a second device, such as by sms. “Many applications provide that extra security by default. You only need to turn on that option to boost the security level, without it costing any money.”

Well-thought-out security policy

Comprehensive application of zero-trust security demands more than that, of course. “It’s important to first draw up a status report,” says Christophe Crous. “From that you can deduce the greatest and most urgent needs, and connect them to specific actions such as regularly evaluating and adjusting the security policy, ensuring that software and hardware get the right updates promptly, and so forth.”

That demands due discipline from the IT department. The user himself should not in principle experience any hindrance from zero-trust security. “He only notices it when he wants to do something that’s not allowed, like snooping in a SharePoint folder where he actually has no business,” Christophe Crous concludes. “The example indicates right away what the big challenge in zero-trust security is. You have to think very carefully about who can or cannot do something, anything even.”