Zero-trust security refers to the idea that you shouldn’t assume someone is trustworthy just because they’re inside your network. That’s why zero-trust is sometimes called perimeterless security: You continually authenticate and verify based on the situation.
Here are five things to know about zero-trust security.
- Zero-trust security has been around for a while. The term was coined by Stephen Paul Marsh in 1994, and it was later popularized by security analyst John Kindervag. Google was one of the first tech companies to try a form of zero-trust security in 2009.
- Zero-trust security requires your work culture to adapt. It used to be that everybody logged in, and then they could access whatever they wanted with a few broad level-based permissions. Zero-trust security restricts you by task — not type of access. It doesn’t have to be harder, but it will be different, causing more than a few employees to wonder why they have to keep proving who they are. Leadership should explain the benefits of zero-trust security and get peers on board.
- You’ll want to learn the “five Ws” of zero-trust security: What must be protected; from where are the access requests originating; who is doing the requesting; why are they requesting it; and when do they need the access.
- No, VPNs aren’t going to help. When some people think perimeterless, they think that means logging in remotely. That’s not quite it. A VPN is just another perimeter. If you’re inside the VPN and the bad folks are too, then the VPN won’t help you.
- You need to keep monitoring. No system is perfect, and malicious behavior will happen just like in old-fashioned perimetered security. Make sure you’re watching for security flaws. When you find security flaws, analyze the root cause and share your findings.
I have zero trust that you’ll immediately implement zero-trust security, but that’s the way it should be.
Subscribe to TechRepublic Top 5 on YouTube for all the latest tech advice for business pros from Tom Merritt.