Share this article on:
Lloyd Thomas from Jamf outlines three key principles for organisations employing zero trust IT security strategies.
The rate of change in modern business has never been more frenetic. Shifts in working patterns, disrupted supply chains, and evolving consumer demands are causing challenges across the board.
In response, businesses are seeking ways to improve efficiency and make better use of resources. A critical part of this process is equipping staff with the technologies and tools they need to work from any location using their choice of digital device.
While admirable, this goal is also causing challenges for IT teams. They must work to find ways to secure applications and data while also making these resources readily available to those who require it.
Achieving such secure access requires a rethink of traditional approaches to IT security. The strategy of securing centrally stored resources behind a firewall is no longer effective when staff are no longer in the office and the resources themselves could well be located in a third-party cloud.
The role of zero trust
Faced with these challenges, security teams are increasingly adopting a strategy of zero trust. While it’s not new – having first been discussed more than a decade ago – it’s firming up as an effective way to secure IT resources in a distributed world.
In essence, a zero-trust strategy involves turning away from having trusted internal networks and assuming that all network traffic is untrusted, both inside and outside a corporate perimeter. The approach can be summarised by a single statement: “Never trust, always verify.”
To achieve a strategy of zero trust, an organisation needs to follow three key principals. These are:
The impact on user experience
A strong zero trust strategy revolves around making people a focal point. Everyone interacting with IT resources must constantly prove their identity and the fact that they have permission to have the access they are seeking.
However, it’s important that these security restrictions do not come at the expense of an appealing and effective user experience. Indeed, organisations need to consider the user experience they are providing as much as they consider their security.
Such implications are vital when you consider how previously heightened security requirements often led to heavy burdens being placed on employees. Many suddenly found they had to deal with multiple new steps such as constantly needing to re-enter passwords or remember long access codes.
For this reason, it’s important that any security team implementing a zero-trust strategy spends time considering the user interface implications. Steps can then be taken to ensure strong security but also allow efficient access to resources.
Device authentication
As well as constantly verifying the people requesting access to IT resources, a security team must also have the ability to verify the devices being used. This verification needs to cover everything from PCs and smartphones to servers and cloud-based platforms.
When it comes to devices, the default position has to be “deny access” until that device’s validity has been confirmed. Checks also need to be carried out on an ongoing basis to ensure that a device has not become compromised or fallen into unauthorised hands.
A zero-trust future
It’s clear that, in a world of remote working and cloud-based resources, the old perimeter-based approach to security is no longer relevant. Security teams need to adopt a zero-trust strategy that will ensure all resources remain protected at all times, regardless of their location.
Lloyd Thomas is the senior security channel manager at Jamf.