Zero Trust Strategy: Key Principles and Practical Implementation Methods

Cyber threats are an everyday occurrence now. According to NCSC, 50% of UK businesses reported a cyberattack in the last 12 months. This is much higher for medium-sized and large businesses facing 70% and 74% attacks respectively.

The most recent was the attack on the NHS hospitals which has implications far beyond IT, risking people’s lives, disrupting treatments and leaking sensitive personal data. 

When attacks get sophisticated, it’s clear that traditional security measures won’t cut it anymore. Organisations need to think about new approaches and methodologies for safeguarding against cybercriminals and that’s where Zero Trust policies become relevant.

Jump to the relevant section

What is the Zero Trust principle?

According to the National Cyber Security Centre (NCSC), Zero Trust is a security approach where inherent trust in the network is removed.

A traditional IT security policy trusts everyone inside a network. The problem with this approach is once anyone gets access to a network, they can easily move around within the network causing damage. In the era of remote working, Bring Your Own Device (BYOD), and cloud-based services, this traditional policy is no longer sufficient to secure organisations.

Zero Trust operates on the principle of automatically trusting nothing and no one. If anyone wants access to resources inside a network, they need to be authenticated each time. “Never trust, always verify” is the principle. 

Practical recommendations for Zero Trust implementation

A recent Okta research found that in just two years, adoption of this modern security framework has more than doubled, and only less than 10% of businesses neither have a Zero Trust initiative nor plan to develop one in the next 18 months.

With that in mind, let’s take a look at some of the practical ways you can implement Zero Trust in your business. While these components don’t represent the full scope of Zero Trust, they capture the most significant areas you can look at implementing.

1) Give least privilege access

A fundamental principle of Zero Trust is to give users the least privilege. This means users have access to only the things they need to perform their jobs and nothing more.

Why is this important? Human error is often cited as the most common cause of risk in an organisation. If a criminal gains access to a privileged user’s account like an IT admin, they can easily move laterally across the network causing further damage.

If access is restricted, this lateral movement becomes impossible and we can contain the threat locally. The fewer people with elevated access, the lower the chances of a mistake causing a security vulnerability.

So implement role-based access control that limits access to applications and data to the minimum. This is not just limited to your full-time employees, but contractors and third-party vendors to improve your supply chain resilience. 

Zero Trust principles

2) Verify continuously

Make sure you always validate the user. Multi Factor Authentication (MFA) is a good place to start to verify your identity. It’s surprising how many companies still haven’t implemented MFA in their organisation. Microsoft Digital Defense Report observed that 21% of customers who experienced ransomware didn’t have MFA or didn’t mandate MFA for privileged accounts. This one step can go a long way in making it harder for hackers to access your systems.

However, validation shouldn’t be just limited to identity. Review other parameters, such as the time of access, location, type of device, IP address etc and flag if any of this is out of place.

Restricting access based on location is another easy way to bolster your security. This means people can’t access your network from locations outside the home country unless they use a VPN. This simple protective measure can mitigate a lot of generic attacks businesses usually fall prey to.

3) Use network segmentation:

In a Zero Trust approach, networks are segmented into small compartments. This is to limit the lateral movement in case of an attack and contain the blast radius. A simple aspect of implementing this in real life is segregating user and guest Wi-Fi.

4) Assume breach

Another Zero Trust principle is to assume that a breach has already occurred in your business. Instead of focussing on how an attacker will get inside your perimeter, you assume they’re already inside and think about minimising the damage.

This is arguably the toughest one to implement because it requires a change in mindset on how you approach security. It requires constant vigilance, significant resource investment, and a proactive stance on security threats. 

5) Continuous monitoring and detection:

No network is 100% unbreachable. Along with prevention tactics, Zero Trust asks you to monitor the network traffic continuously for any signs of suspicious activities.

There are various EDR and XDR tools in the market that scan your endpoint devices, cloud infrastructure and network devices. They use AI, machine learning and behavioural analytics to detect anomalies, such as the tone of the emails, to identify potential threats.

Is it possible to be 100% Zero Trust?

So Zero Trust sounds great in theory, but can you realistically build a 100% Zero Trust environment? Maybe not.

Achieving Zero Trust is a journey. It’s not a switch you can simply turn on. It involves significant time, cost and effort, and since every organisation’s cyber security posture is different, their paths to achieving Zero Trust will also differ. A one-size-fits-all approach doesn’t work here and achieving a mature Zero Trust strategy can take several years.

If an organisation’s security posture is not that mature, it doesn’t make sense to implement zero trust fully right from the beginning. For them, it’s practical to start small, implement certain elements of Zero Trust that are important for the business and then scale gradually.

On the other hand, if your security posture is already mature, you may have some elements of Zero Trust principles embedded in your business, whether you realise it or not.

In an ideal world, users would embrace Zero Trust right from the offset. But in reality, it can impact your user experience and slow down productivity if introduced the wrong way. Imagine users needing to authenticate themselves every single time they open Outlook. This increase in authentication points than they’re used can cause frustration and resistance.

So what’s the realistic solution? Instead of rolling out these policies universally, start with those who have elevated privileges and access the most sensitive areas of your network. 

For instance, administrators could authenticate daily, while others might only need to authenticate once every seven days. It’s essential to strike a balance between implementing Zero Trust and maintaining a smooth user experience. Adopt aspects of Zero Trust but make it practical. You’re still embracing Zero Trust, just a more realistic version of it.

Another point to remember is that Zero Trust is just one of a series of layers which together provide an organisation with resilience and improved cyber maturity.

For instance, recently a client fell into a social engineering scam where the threat actors sent requests to make changes to their banking account information. The staff member forwent some checks which may have revealed this to be a threat actor such as contacting the bank to check this was a genuine change of information.

As a result, a number of payments were then sent to the threat actors resulting in a significant financial loss. Here a strong culture of Zero Trust would have meant the employee would have made additional checks to ensure this request was genuine.

Along with the different approaches to Zero Trust, mindset change and culture shift are equally important to fully adopting this concept. 

A representative of the Zero Trust Strategy maturity model, ranging from traditional to optimal.
Image courtesy: Microsoft

Challenges of implementation

One main challenge of working towards Zero Trust is, of course, cost. You need skilled IT staff to guide you through this process, establish the right policies and procedures and a dedicated team to continuously monitor your services.

Another obstacle we have seen with our customers is the opposition from the board or leadership team. They question the value of this investment or don’t see a need for it. They think “a breach is never going to happen to us”. It’s never happened to someone they know so they think it’s not going to happen to them.

But it’s happening more and more every day. Every week we hear news of a cyber attack, so it’s important to raise awareness and change people’s mindset.

That happens only when you ‘show’ them the potential vulnerabilities. There are tools in the market that can detect suspicious login attempts to an organisation from various sources.

We’ve shown this to customers who had no idea thousands of login attempts were made from foreign countries. When you see it on screen, you understand the seriousness of the issue and realise that everyone is a potential target. For example, CloudClevr’s Clevr360 effectively identifies and flags suspicious user activities and potential threats demonstrating the severity of the issue on-screen.

Next steps

Our key takeaway from implementing Zero trust for our customers is the clear reduction in the total number of incidents and response times. When incidents do occur, they tend to be less severe, and the impact of breaches is significantly reduced.

If improving the cybersecurity posture of your organisation is a priority for you, we can help. Explore our managed security services offering and contact us to see how we can help you.

get Clevr360

Speak to our team

Fill out the form below and we will be in touch with the next steps.