Zero Trust: What if the Trojans had double checked the horse? (Guest blog by Vodafone)
Many customers have been asking us about Zero Trust, wanting to know what it is and how it works. To explain, let’s explore Ancient Greece and the city of Troy.
For those not familiar with the seige of Troy, the story goes that the Greeks waged a 10-year war on the city of Troy after Paris took Helen from her husband Menelaus, the king of Sparta.
When conventional siege tactics failed, the construction of a great wooden horse - the emblem of Troy – was ordered and presented as a gift to the Trojans as the Greek’s seemingly withdrew.
Believing they had won the war the Trojans wheeled the horse inside the city. As night fell, Greek soldiers hiding inside crept out, opened the gates to countrymen and sacked the city, ending the war once and for all.
Of course, those familiar with cybersecurity will know that a Trojan Horse can refer to malicious malware. But the story also contextualises Zero Trust.
Historically, security operated like this: businesses would set up their network and if you were in, you were considered ‘trusted’. If you were outside, it was challenging to access the data and information stored inside but once in, you have access to everything.
Your business is Troy in this scenario. Our aim? To keep the Greeks out and that’s where Zero Trust can help.
Protecting the hybrid office
Times have changed and the world is now a digital one. Employees are accessing ‘the office’ from different locations and from a range of devices. This leaves traditional domain-based security exposed. Especially when you consider the mix of private and public clouds and servers they are using, leaving the door open for cyberattacks.
And cybercriminals made the most of the opportunity - last year in the UK, 39% of small businesses and 65% of medium-sized businesses identified breaches, which was significantly higher than the year before (46%).
Using a Zero Trust approach means you can support your people to work from anywhere, on any device, securely, while still protecting them and your business against threats.
What is Zero Trust?
Brought to the fore by then-Forrester analyst John Kindervag, Zero Trust is based on the old Russian proverb “never trust, always verify”.
For digital, we must understand that 100% secure is an impossible objective, therefore manage our operations in a way that mitigates risk in every way possible.
Zero Trust means everything is considered suspicious until proven otherwise via authentication processes placed across a business’ IT portfolio.For example, one of your people usually uses their laptop in the office but today they are out visiting a potential customer and need to access sharepoint off-site. With a Zero Trust policy a Multi-Factor authentication (MFA) will kick in automatically , asking them to verify their identity and sign in securely mitigating the risk of malicious domains and unauthorised sites.
Alongside device usage policies and the encouragement of regular cyber hygiene, there is still a responsibility on the employee but with additional policies and extra layers of security provided by MFA, they are supported in making the right choices.
So how can you implement it?
Thankfully, taking the steps to introduce a Zero Trust framework is straightforward.
- Know your data and assets
What devices are your people using? What software do they use? Talking to them and listening to what they use, what data they store where and what they need is vital and allows you to identify weaknesses.
- Identify your users and partners
Once you have accessed your assets, it’s time to find out who uses them. A user directory allows businesses to uniquely identify each individual and device to assess if they should be given access.
- Write the rules
Your people control whether they install the latest updates, know what a secure password looks like or remain knowledgeable about the plethora of risks out there. Help them and encourage an environment where they can be honest about what they use without recrimination.
When looking at partners and suppliers, you are also perfectly within your right to audit your supply chain and understand their own security capabilities. Don’t be afraid to set the standards you expect.
- Put identity and access controls in place
It’s here where you can introduce Multi-Factor Authentication (MFA), adding a layer of security on top of passwords like biometrics or fingerprint recognition to combat human error or credential abuse.
Zero Trust is not about becoming suspicious of everyone including your people. It’s about accepting 100% secure is impossible, and planning accordingly, alongside making it easier for your workforce to play their part.
If only the Trojans had taken the second step of authenticating whether that giant horse was indeed a gift, perhaps their downfall could have been avoided.
Learn more about Zero Trust and how we can help you with your cybersecurity.
Vote for your new National Security Committee 2023 representatives
We are pleased to announce that voting is now open for techUK's National Security Committee.
National Security Reception
We are delighted to announce that techUK's first National Security Reception will take place on 21 March 2023.