Security News > 2022 > April > Zero-Trust For All: A Practical Guide
"Zero trust begins with strong authentication to make sure people who are attempting to get to or use important resources are reliably identified. Next, a zero-trust approach checks to see if that person who has been identified has explicit permission every time they go to access or use a resource. This makes it far more difficult for hackers to break into cloud apps and move freely across the network."
The approach is effective: Consider that Microsoft's latest Zero Trust Adoption report revealed that 31 percent of organizations that were ahead with their zero-trust system implementation were affected by the SolarWinds hackers, as compared with the 75 percent who hadn't yet fully implemented it.
"The core ideas for zero trust have been around for a while - the Jericho Forum argued against relying on the perimeter over 20 years ago; network access control required that devices attaching to a network had to pass scrutiny before getting access, privileged access management required individuals have positive identity validation before accessing sensitive processes or information," explained William Malik, vice president of infrastructure strategies at Trend Micro.
On the attack-surface front, Malik noted that if the gang used a zero-day or unpatched vulnerability to gain access, zero trust will box the attackers in.
From there, "I can build a Zero Trust Network Access connection that is as close to end-to-end as possible, and I can continuously assess the trust and postures so that if at any time the risk goes into a state beyond what I trust, the connection can be severed and access blocked. All the while, I'm assessing threat information and the posture of all of my company assets, including identities and things."
"The industry has been talking about zero trust for a decade now, but companies who have taken half-measures will need to get serious about what zero trust really means," he said.