Zero Trust explained

Digital connectivity: a gateway for cyber attacks 

A scenario that could easily occur in every-day industry: An external service provider performs routine IT-supported remote maintenance on a production machine. All too often, however, this service provider is connected not only to the affected device but to the entire corporate network. And this carries significant risk, especially if the maintenance company has lost control of its own infrastructure. Attacks through compromised service providers are not unusual. 

Digitally connected companies and organisations have to deal with such scenarios every day. Critical processes in business and public administration are being digitalised, and more and more sensitive data is processed digitally. The number of cloud services being used is rising, as is the use of third-party software. In addition, many employees have become used to accessing company IT from home via a VPN connection, especially since the coronavirus pandemic. As networks and applications grow more complex, susceptibility to errors and attacks increases. This makes cyber attacks all the more lucrative, for (white-collar) criminals and state actors alike.

Zero Trust: The definition is not necessarily in the name 

The Zero Trust concept could offer a way out. But, as Steffen Ullrich explains, it is by no means about having no trust in anything at all.The IT security researcher at genua GmbH, a company of the Bundesdruckerei Group, prefers to describe it as avoiding blind trust and instead assigning limited access rights: “Put simply, Zero Trust means placing as little trust as possible in users, software or even devices that gain access externally and are not fully under your own control.” For Ullrich, granting what’s known as granular access rights forms the core of the Zero Trust definition.

 “Relying on the security of the local network has not worked for quite some time,” says the expert. To limit the extent of damage in the event of a cyber attack, network components should be deliberately isolated in advance. Access permissions and the ability to communicate over the network are limited to what is strictly necessary. In remote maintenance, for example, the company allows the maintenance service provider to access only the specific system or selected applications. Permissions are granted only for the period required. The IT-department must also continuously review the criteria for granting permissions. 

Ullrich refers to this as the “principle of least privilege”’. Tasks are assigned deliberately so that, in the event of an attack, the impact remains limited. Zero Trust does not eliminate risk altogether. Yet, given the multitude of cyber risks, proactively containing potential digital flashpoints seems more effective than striving for 100% security.

Authentication alone is no longer enough 

Authentication of users is crucial for Zero Trust. Before the cloud era and before the pandemic, authentication often still happened in more traditional ways, via access permissions to buildings and office computers. Now, additional measures are necessary to protect sensitive data and critical infrastructure. In addition to user authentication, Zero Trust requires an assessment of the security of the device (‘attestation’) as well as the surrounding environment.

Zero Trust in practice: incremental improvement rather than total replacement 

So how does the concept translate into everyday business practice? Do IT managers have to completely rethink their approach? For the genua expert, one of the key advantages of Zero Trust is the opportunity to gradually introduce appropriate access controls into existing organisational structures. In industrial environments, particularly vulnerable machines are secured through what’s known as micro-segmentation. “It’s important to secure the network across the board,” says Ullrich. “However, companies can also introduce user-specific access controls for individual applications.” Ullrich is convinced this represents “a substantial security gain in the implementation of Zero Trust-based cyber security solutions”. 

Another change is emerging: until now, security policies have largely been defined at the network level, which made securing dynamic infrastructure more difficult. In Ullrich’s view, the Zero Trust concept can also be used to address this problem. “Effective cyber security solutions go beyond the security of IP addresses and ports,” says Ullrich. “Instead, we need to think in terms of organisational and operational identities.” This means individual users, teams or departments, with specific access rights tied to their tasks. “When tasks or responsibilities change, the rights are then adjusted automatically,” says the expert. 

In Ullrich’s view, Zero Trust does not imply the distrust of one’s own organisation. Rather, the concept has positive effects: more security without making day-to-day work more complex for employees and IT administration. Security decisions aligned with business processes are more readily accepted because they do not hinder work efficiency. The interplay of access rights and responsibilities, mirrored in the organisational structure, makes IT security in the Zero Trust context relevant and comprehensible to the entire workforce.