January 4th, 2021 | Updated on January 5th, 2021
Going through life never trusting anyone would be exhausting. When it comes to cybersecurity, however, it might be the best way to organize things.
With data breaches posing an increasingly big problem, Zero Trust architecture is a strategy that flips the way traditional computer system security models have worked on its head. And, just possibly, for the good of all involved.
Rather than assuming, as default, that everything in an organization’s network is trustworthy, Zero Trust takes the view that it’s always better to verify than it is to blindly trust.
This, in turn, can help avoid scenarios in which an attacker is able to gain access to a system and, once inside, move around without limitation and access or exfiltrate data.
Don’t Trust Anyone?
The Zero Trust model was coined by cybersecurity expert John Kindervag in 2010. Kindervag aimed to make security a baked-in, deeply infused element of any computer network, instead of a layer that’s simply added on top.
Zero Trust architecture assumes that the network contains hostile internal and external threats constantly.
The focus is on strong identification measures and access control, thereby ensuring that the right people are accessing the right data by insisting on authorization and authentication of devices, users, and network flow.
Role-based access control (RBAC), also referred to as role-based security, is an effective means of restricting system access for a Zero Trust approach. RBAC involves determining what permissions and privileges users will require to do their jobs.
This is particularly important in a world in which tools like cloud-based applications and mobile, often remote-working, workforces make the traditional perimeter-based security models of yesteryear seem outdated.
This likely means that certain parts of the system will be off-limits to each employee. Just like it would seem strange to have a junior admin worker in the accounts department rifling through the desk of the chief executive, RBAC assumes that everyone needs to have just enough access — but no more — to do their job. This stops people accessing areas of a system they have no place accessing.
Rethink Your Security Practices
For instance, in some cases an employee might have access to one area, but only “reader” access so that they can look at data, but not overwrite it.
Such access controls commonly refer to digital access to particular networks, files, or data. However, this approach to access control systems can also be extended into the physical world — for instance, stopping or allowing a user to enter particular buildings or rooms (the example of the intern in the CEO’s office.)
Implementing this kind of approach to access control may require rethinking the way you practice your security. This can be complex to establish, especially when you’re doing so across an entire large organization.
In some instances, implementing a role-based access control system might result in pushback internally or from other key stakeholders.
Concerns should be listened to carefully. But there’s no getting around the fact that RBAC can greatly improve security processes — and in some cases is entirely necessary in order to be in compliance with security regulations.
Bring In The Experts To Help
To successfully implement RBAC, organizations must be very clear about their own requirements as a business — whether this is addressing different job functions or meeting certain regulatory and audit rules that must be adhered to.
Associated with this is understanding the scope of RBAC requirements so that these can be considered and implemented in a way that aligns with your needs as an organization.
You must make sure that you have clearly defined roles in place, and understand the required level of access that they will need in order to be able to do their job properly.
After this, to implement the system in an effective way you may want to bring in cybersecurity experts. To make the process as streamlined as possible from an organizational perspective, implementation should be done in stages to reduce disruption wherever possible.
A good idea is to begin with coarse-grained access control and then increase granularity as you go. You may want to introduce this with a subset of users first in order to be able to gather feedback which can help as you roll out the RBAC approach more broadly.
All About Identification
Along with RBAC, you may also want to implement other security oriented measures as part of a Zero Trust approach such as introducing multi-factor authentication where it is not yet available to employees.
This will add an extra layer of security when it comes to identifying users, particularly when they are not working on your physical premises and may be accessing systems from the outside.
Many of the ways the workforce is changing (such as the possibilities offered by remote working) are exciting and extremely positive. However, all of these bring with them security risks.
It’s essential that companies don’t assume that what worked yesterday will also work tomorrow. The transition to new approaches like RBAC is one example of how rethinking security can help protect you, your customers, and your employees going forward.