Zero trust architecture is fast becoming one of the hottest trends in the IT security world. But while it can bring a huge amount of value, it can also generate some downsides for your business. So is it time to embrace a ‘trust no one’ approach, or is an alternative framework best for your organisation?
With reports of cybercrime growing across Australia, businesses are increasingly looking for ways to enhance their online security, protect their networks, and minimise the risk of data loss. And one of the most talked-about approaches emerging today is the ‘zero trust’ framework. So what exactly is meant by ‘zero trust’, and is it really the magical solution to security that it appears to be?
Let’s take a closer look…
What is ‘zero trust’?
The standard way of operating, for most businesses at least, is to trust. Devices, users, identities, and so on, are typically verified once, and then trusted from that point on. If a network has been told that ‘this device is OK’, or ‘this user is OK’, they have free reign to access that network as desired.
The zero trust model spins that around. The default here is not to trust. This means that authentication is required for every new request, regardless of whether that device, that user, or that identity has already been verified. This approach has been developed as a way to reduce the risk of unauthorised access, and minimise the likelihood of businesses experiencing a security breach.
Zero trust: two sides to the story
Zero trust architecture is becoming more and more popular across Australia. It even forms a major part of the Government of South Australia’s ICT, Cyber Security, and Digital Government Strategy.
But before diving in head-first, it’s important to know that there are two sides to this story.
1. The concept of zero trust means that there should be no parts of your network that need to be locked down or heavily restricted. That’s because every user and device accessing those areas has been fully verified, every time. This supports the new need for flexible access in the workplace.
2. Zero trust frameworks are highly effective at keeping the wrong people out of your network, making it easier to reduce and manage risk in a cost-effective way. It’s a way of automating and simplifying a business’ approach to cyber, so we can reap the benefits without enhancing the risk.
1. Perhaps the biggest disadvantage of zero trust is that it can hinder workplace productivity. With a need for devices, users, and identities to be verified for each and every request, it can create slow and disjointed workflows. This can lead to wasted time, and frustrations for your employees.
2. Typically, businesses have just one perimeter to protect. With zero trust models, there are multiple perimeters. And each one has got to be properly managed and monitored. While large corporations often have the resources to handle this, it may be out of reach for smaller organisations.
What’s the best approach for you?
It’s reported that 90% of IT leaders are using – or are planning to use – a zero trust approach. And McKinsey lists zero trust architecture as a key element in its 2022 technology trends outlook report.
But is it right for you?
While the fundamental idea of zero trust – the concept of ‘never trust, always verify’ – makes a great deal of sense, the downsides of implementing such a framework can mean this isn’t right for everyone.
It may be possible to find a more suitable middle ground, identifying ways to enhance your IT security, boost resilience, and strengthen your ability to prevent attacks, or minimise their impact.
That’s what we’re here to help with. Get in touch with us to discuss your IT security options.