USA president, Joe Biden, thinks that Zero Trust is the way to go in your cyber security journey, but, what is Zero Trust, and what does it mean for your business?
When it comes to your business, I’m sure you’ve got a strategy in place for how you’re going to win new business, market your services and manage your finances. However, do you have a strategy in place for your cyber security?
Firstly, What is a strategy? For us, a strategy is a plan implemented to achieve a certain goal. When we ask business owners what their cyber security strategy is, we get many different answers…
” We do Cyber Essentials”
“We bought a new firewall.”
“We have lots of cyber security tools.”
None of these are real strategies. Cyber essentials is a compliance checklist. Whilst the framework has some useful features, it is certainly not a strategy. Do you think any business that is Cyber Essentials certified ever got breached? Yep! Plenty.
Buying the new, latest firewall, or new, latest antivirus is not a strategy either for obvious reasons. Many businesses just buy as many security tools as possible or as much as their IT wants to sell to them.
This is known as “Defence Depth.”
These companies believe that the more tools they have, the more secure they are. However, if you do not plan your cyber security properly, this can be a waste of expense.
This is where Zero Trust steps up to the mark. Zero Trust is a new concept developed by John Kindervagin in 2010. To learn about this strategy, we need to go back in time to how we used to design IT networks in the past.
We used to design them in a similar style to castles and moats. The Castle symbolises your office, and the moat might symbolise your company’s firewall.
All your servers and computers were safe and sound in your office. All that you needed to do was protect the office. However, if you’ve made it within the castle, it means you must be trusted.
Well, this castle and moat style just doesn’t work anymore, and there are many reasons for this.
- People no longer work from just the office.
Many employees have the ability to work from wherever! It doesn’t matter if they’re working from home or remotely working around the world! You even have Subcontractors and Freelancers working for companies that are completely external to the business.
- People don’t just use the devices your business provides.
Your employees don’t just use their mobile phones for their personal life. They’re able to access their Email, Teams and files from work through their Microsoft 365 applications on their mobile phones. They might even use their home laptops, which can very easily be lost or stolen!
- The influx of internet enabled devices.
There are now toasters and heating that can be controlled from your smartphones. Everything these days connects to our networks.
- The cloud
Your data might be on applications within your server, But your files and folders could be in the Microsoft 365 cloud servers, meaning that your data is everywhere! It is no longer contained within your office/the castle!
Running alongside all of this, cyber threats are getting more sophisticated, such as phishing attacks, and stealing your passwords to get inside your castle!
Zero Trust has just one goal in mind. To prevent breaches INSIDE of your business.
President Biden recently released an executive order, meaning all US government departments have to follow the zero trust framework.
So, how can YOU adopt it within your business?
Firstly, if you do a quick google search of zero trust, you’ll get lots of variations of what zero trust actually is. It was designed with four design principles.
- Focus on Business Outcomes.
- Design your IT from the inside out.
- Who and what needs access?
- Log and monitor everything.
You need to understand how your business makes money. When it comes to technology, you must figure out what your company’s Crown Jewels, are. Only after this has been established do we know what we need to protect. This might seem obvious but it differs from a lot of strategies that other businesses implement. Many just go with the generic cyber security products, without understanding what actually needs protecting.
Designing from the inside out means we must move away from the castle and moat design. Instead, we need to protect every user on any device, whatever they are.
Your business needs to restrict admin and full access. Employees should only have access to things that they need in order to do their jobs. This is a big one. We have seen random devices plugged into networks, people with local admin who don’t need it, and people with global admin over their Microsoft 365… The list goes on. This could result in huge security breaches, malicious or accidental.
So, you’ve planned everything, you know what your crown jewels are, you know what protection you need and you’ve got a good network design. Everybody and everything should have just the right access they need to do their job.
You can’t stop there!
You have to monitor everything to ensure that nothing has been breached. Is anyone in your Microsoft 365 that shouldn’t be? Are Documents being downloaded onto unmanaged devices? Logging and monitoring is a key component of the Zero Trust framework.
Now you know the four design principles of Zero Trust; many huge tech companies are implementing this framework, and Microsoft 365 has a lot of guides on how to implement Zero Trust using Microsoft 365. Threatlocker has a zero-trust software solution to install on computers, and keeper security has been built using Zero trust.
As you can tell, it s a very effective way to protect your business. Let us know if you would like to learn more or contact us for any IT support issues.