Zero-trust security refers to the idea that you shouldn’t assume someone is trustworthy just because they’re inside your network. That’s why zero-trust is sometimes called perimeterless security: You continually authenticate and verify based on the situation.
Here are five things to know about zero-trust security.
- Zero-trust security has been around for a while. The term was coined by Stephen Paul Marsh in 1994, and it was later popularized by security analyst John Kindervag. Google was one of the first tech companies to try a form of zero-trust security in 2009.
- Zero-trust security requires your work culture to adapt. It used to be that everybody logged in, and then they could access whatever they wanted with a few broad level-based permissions. Zero-trust security restricts you by task — not type of access. It doesn’t have to be harder, but it will be different, causing more than a few employees to wonder why they have to keep proving who they are. Leadership should explain the benefits of zero-trust security and get peers on board.
- You’ll want to learn the “five Ws” of zero-trust security: What must be protected; from where are the access requests originating; who is doing the requesting; why are they requesting it; and when do they need the access.
- No, VPNs aren’t going to help. When some people think perimeterless, they think that means logging in remotely. That’s not quite it. A VPN is just another perimeter. If you’re inside the VPN and the bad folks are too, then the VPN won’t help you.
- You need to keep monitoring. No system is perfect, and malicious behavior will happen just like in old-fashioned perimetered security. Make sure you’re watching for security flaws. When you find security flaws, analyze the root cause and share your findings.
I have zero trust that you’ll immediately implement zero-trust security, but that’s the way it should be.
Subscribe to TechRepublic Top 5 on YouTube for all the latest tech advice for business pros from Tom Merritt.
Subscribe to the Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays