A leading cyber expert has outlined three principles for SMEs employing zero trust IT security strategies.
13 April 2022
IT security teams are increasingly adopting a strategy of zero trust.
A zero trust strategy involves turning away from having trusted internal networks and assuming that all network traffic is untrusted, both inside and outside a corporate perimeter. The approach can be summarised by a single statement: “Never trust, always verify.”
“To achieve a strategy of zero trust, an organisation needs to follow three key principles,” Jamf Senior Security Channel Manager Lloyd Thomas said.
All IT resources must be accessed in a secure way, and from a secure machine, regardless of their physical location.
Access control needs to be applied on a “need-to-know” basis corresponding to a user’s identity and the resources that user is authorised to access.
Organisations must continually inspect work-related traffic to verify that connections remain secure and compliant with corporate policies.
Mr Thomas said a strong zero trust strategy revolves around making people a focal point.
Explore our cyber training and resources to defend against online threats to your business. Plans start from only $10/month.
“Everyone interacting with IT resources must constantly prove their identity and the fact that they have permission to have the access they are seeking.
“However, it’s important that these security restrictions do not come at the expense of an appealing and effective user experience. Indeed, organisations need to consider the user experience they are providing as much as they consider their security.
“Such implications are vital when you consider how previously heightened security requirements often led to heavy burdens being placed on employees. Many suddenly found they had to deal with multiple new steps such as constantly needing to re-enter passwords or remember long access codes.”
For this reason, Mr Thomas said it’s important that any security team implementing a zero trust strategy spends time considering the user interface implications. Steps can then be taken to ensure strong security but also allow efficient access to resources.
“As well as constantly verifying the people requesting access to IT resources, a security team must also have the ability to verify the devices being used. This verification needs to cover everything from PCs and smartphones to servers and cloud-based platforms,” he said.
“When it comes to devices, the default position has to be ‘deny access’ until that device’s validity has been confirmed. Checks also need to be carried out on an ongoing basis to ensure that a device has not become compromised or fallen into unauthorised hands.”
Train your staff to be the frontline of your defence against cyber attacks with plans starting from $10/month
Subscribe to our newsletter and receive the best business tips and articles straight to your inbox.
We take your privacy seriously and by subscribing to our newsletter you agree to the terms of our Privacy Policy available below.
