The UK’s National Cyber Security Centre has recently released Zero Trust Architecture guidance to help organisations secure their systems, data and networks. Especially as the trend of moving services to the cloud continues with the increase of flexible and remote working, it is more important than ever to establish these principles within your organisation.
Zero trust principles essentially remove unfettered access to various segments of a network, authorising each attempt to connect or log-in. Instead, the network is automatically assumed to be hostile or compromised, and access is only granted when the identity of the party requesting it is fully confirmed. Zero trust architecture is therefore predicated on strong identity and authorisation management, ensuring that only the people who have legitimate reasons to access a network segment or process are allowed in.
This is key for a few reasons, including the inevitable complications of remote working. For example, if a cybercriminal gains access to an organisation’s network that is not protected with zero trust principles, the attacker can easily can access to a myriad of systems and data, moving laterally throughout the organisation. However, in a system that has followed the NCSC’s Zero Trust Architecture, even if a hacker has gained access to one part of the network, if they are unable to be authorised to enter other segments, they will not be able to access and exploit those sections.
The NCSC has set out eight key principles:
- Know your architecture, including users, devices, services and data
- Know your User, Service and Device identities
- Assess your user behaviour, device and service health
- Use policies to authorise requests
- Authenticate and authorise everywhere
- Focus your monitoring on users, devices and services
- Don’t trust any network, including your own
- Choose services designed for zero trust
Of course, changes like these can’t and won’t happen overnight. And any cybersecurity transition must be managed carefully, to ensure no gaps appears while the transformation to zero trust architecture happens. However, by methodically applying zero trust principles to your networks and systems, you will strengthen your cybersecurity, granting your organisation greater cyber resilience than ever before.