Zero Trust security. A practical guide for the modern enterprise

Zero Trust isn’t a technology. It’s a security paradigm that rejects presumed trust both inside and outside an organisation.

A) The old model: castle and moat:
‘Trust, but verify’
Default trust
Extensive access after logging in
Perimeter protection

B) The new reality: Zero Trust
Never trust. Always verify
Provisional and conditional trust
Continuous verification of every action
Individual protection of every resource

The best example is the BeyondCorp project set up by Google following the Operation Aurora attacks in 2009. At the time, the company’s engineers recognised that their own internal network had to be treated like the public Internet. With no exceptions. And that’s Zero Trust in action.

·      Attackers don’t hack in. They log in

According to data breach investigation reports published by Verizon, most data breaches result from compromised logins and passwords. Firewalls are helpless when an intruder uses stolen credentials.

·      Zero Trust = savings, not costs

Data from IBM tell us that organisations implementing this model reduce post-hacking losses.

·      Artificial intelligence at the service of hackers

Generative artificial intelligence (AI) makes it possible to set up phishing that’s almost indistinguishable from authentic communications. Only systems that, by definition, trust no one are capable of defending themselves effectively.

See our recent Mako101 post on phishing here: phishing

1. Continuous, ruthless verification  

Logging in once isn’t enough. No matter what the localisation, device or role, every attempt to log in must be analysed in real time.

Key technologies

·      Multi-factor authentication (MFA)

·      Passwordless logins (biometrics, passkeys)

·      User and entity behaviour analytics (UEBA)

2. Prevention

Never assume that a system is permanently secure. Assume that an attack has already happened and limit it by isolating resources.

Key technologies

·      Network micro-segmentation

·      Policies that restrict lateral movement

·      Dynamic access control 

3. The principle of least privilege (PoLP)

Also known as the principle of minimum privilege (PoMP) and principle of least authority (PoLA). Rather than granting access ‘just in case’, only essential permissions are granted. And just for the bare minimum amount of time.

Key technologies

·      Identity and access management (IMA)/Identity governance and administration (IGA)

·      Privileged access management (PAM)

·      Just-in-time (JIT) access

4. Continuous visibility and analysis

Zero Trust assumes that a threat may already exist inside a system, making it essential to monitor every activity, from network traffic to user and device behaviours.

Key technologies

·      Security information and event management (SIEM), such as Splunk, Wazuh or Microsoft Sentinel. Real-time login aggregation and analysis

·      Endpoint detection and response (EDR)/Extended detection and response (XDR), such as CrowdStrike or Microsoft Defender XDR. Monitoring endpoints and incident response

·      Network detection and response (NDR), such as Darktrace or Vectra AI. Detecting suspicious network traffic

·      AI/machine learning (ML) for behavioural analysis. Detecting unusual patterns such as data exfiltration and lateral movement

Zero trust is a process of transformation, not the purchase of a specific product. It encompasses five fundamental areas that should be analysed together.

•     Identity. Who is requesting access?
•     Device. What device is the request coming from?
•     Network. What does the communication and segmentation look like?
•     Applications/Workloads. How do we protect the environments the systems are operating in?
•     Data. Are they classified, encoded and accessible only to appropriate entities? 

The NIS2 Directive is more than simply the applicable law. It’s a signal of change showing that companies’ digital resilience is now an aspect of economic security.

You can continue to invest in new ‘walls’ for your now-defunct castle, but it would be far better to start building a protective structure that’s effective in the current digital reality would be far better.

Zero Trust isn’t a magical solution. It’s a change in mindset. It begins not from the purchase of tools, but from an audit, risk verification and strategy development. MakoLab will help you to implement a ‘never trust, always verify’ approach before a cybercriminal leverages a gap in your organisation’s defences. Start with an audit and not with an incident.