The Zero-Trust Philosophy in Cyber Security 

Gone are the days of firewalls and single-factor authentication methods. Due to the riskier cyber environment that we live in, business owners should develop stronger, more reliable security measures to protect their company data. Previously, our digital world had a “trust but verify” policy where individuals only had to pass a single checkpoint. Now we live in a zero-trust environment meaning security should always verify and never trust traffic.  According to software company Varonis, there are three principles companies should follow regarding zero-trust security:

1. Require secure and authenticated access to all resources: Authenticate and verify all attempts to access the network, assuming they are threats until proven otherwise.
2. Adopt a least-privilege model and enforce access control: Limit user access to only the access each needs to do their job, thereby limiting the scope of a potential breach.
3. Inspect and log all activities using data security analytics: Introduce proper individualized baselines per user account that will detect abnormal behaviors based on perimeter telemetry, data access, and user account behavior.

In other words, the zero-trust policy requires that users be authenticated, authorized, and continuously validated prior to them being granted access to your business’ data. Essentially, zero-trust helps streamline compliance by evaluating and tracking each login request. This process also helps report suspicious behavior and possible cyberthreats. Zero-trust allows organizations to show who has attempted to access their data and what information has been collected. This makes the process more favorable for auditors as the process provides more information into where the data flows and how the system is secured. 

In order to assist you with implementing the zero-trust policy in your business, software company Mobilelron has created a 10-point security audit checklist that provides insight into the best practices you should follow when creating a data security and access control framework for your company.

1. Enforce device encryption and password protection.
2. Prevent business apps from sharing data with personal apps.
3. Automatically delete business data from compromised devices.
4. Tunnel business traffic without tunnelling personal traffic.
5. Stop unauthorized devices from accessing business cloud services.
6. Stop unauthorized apps from accessing business cloud services.
7. Detect and remediate zero-day exploits.
8. Provide rich security controls across a variety of different operating systems (e.g., Android, iOS, macOS, and Windows 10 now support unified, cross-platform security solutions).
9. Certify for device security (e.g., Common Criteria Protection Profile for Mobile Device Management).
10. Certify for cloud security (i.e., SOC 2 Type 2 and FedRAMP).

As you can see, there are many benefits to implementing zero trust in your organization as the process can help reduce security breaches and the misuse of your data. If you would like additional information on how you can better protect your company, I’d be happy to refer you to my IT professional for advice on systems to protect your company.  You can contact me at 310-534-5577 or [email protected].