Everyone is talking about the Zero Trust model as an IT security concept. But what does it mean in detail? And can small and medium-sized enterprises realistically implement it? We provide an initial overview and our assessment.
What exactly does “Zero Trust” stand for?
The idea of the “Zero Trust Model” is not to trust any device, application or user identity in a network, but to check them at all times. The goal is to ensure that only legitimate devices, applications and users have access – but not hackers.
Why the Zero Trust model is becoming more common
For a long time, an IT security model was predominant that can be described as the “moat concept”. In this model, a company is strongly secured against external access, just like a castle. This includes firewalls, virus scanners and the like. On the inside, on the other hand, much weaker security precautions are taken. Access from here is comparatively easy because it tends to be regarded as legitimate.
As a result, hackers can cause great damage once they have overcome the metaphorical moat and move around the corporate network. They often succeed in doing this, for example, through phishing attacks, social engineering or security vulnerabilities in programs. Cloud applications and the further spread of remote work pose additional challenges for the “moat concept” – because where exactly should the moat be drawn in each case?
With the Zero Trust concept, on the other hand, it is not as important to asses where a person, device or application is located to know whether access is legitimate or not. What is important is authentication – verifying that the person, device or application is really who they say they are. In principle, the Zero Trust model is therefore better suited to the current realities of everyday digital business.
Not only for protection, but also for damage limitation
First and foremost, the Zero Trust model requires authentication of all access. But it goes beyond that. Because it is based on the experience that cyberattacks often occur from within a company. For example, when hackers have penetrated the company network through a phishing attack. Therefore, the Zero Trust model also includes elements that help detect such attacks and limit their damage.
Important components of the Zero Trust model
Authentication of all applications, devices and users
Encrypted transmission and storage of data
Allocation of access rights according to the principle of the lowest possible permissions
Analysis and documentation of all data traffic
Segmentation of the corporate network into isolated areas
Is Zero Trust feasible for SMEs
There is no question that full implementation of the zero trust model requires effort. For example, it is first necessary to identify which applications, devices and users exist, which are legitimate and how they are to authenticate themselves securely in the future. Encryptions must be created, procedures established and then these procedures must become the norm. Access rights must be reviewed, thoughtfully assigned, and adjusted as necessary to enable smooth operations. Analysis options must be created and used.
But: This path can be taken step by step. In many companies, individual components of the Zero Trust model are already part of everyday life. This can be built upon. Alternatively, you can start by considering which measures are easiest to implement and offer the greatest security gains. If necessary, cybersecurity companies such as Perseus will be happy to advise you.
Attention: Perhaps the biggest stumbling block with Zero Trust
For us humans, the term “trust” is very emotionally charged. Trust is a high value. If we are given trust, we often perceive it as a honor. If, on the other hand, trust is withdrawn or mistrust is shown, this is highly unpleasant. If employees of a company misunderstand the term zero trust and use it to refer to themselves, they can understandably perceive it as an affront. But without their active support, the Zero Trust model is not feasible.
Therefore, when implementing the Zero Trust model, it is extremely important to make its goal clear to everyone in the company right from the start: Zero Trust is not about distrusting people. It’s about ensuring that only the trusted people gain access to a system, application, device, etc. – not hackers posing as them.
In this time of stolen or hacked login information, corporate network intruders, and sophisticated fraud attempts, this is unfortunately a sensible measure. If everyone in your company understands this and goes along with it, you’ve removed a common stumbling block to the Zero Trust model.
Our tip: The differentiation between authentication and authorization is not quite clear to you? This article can help you and clear up misunderstandings.