Trust no one, assume the worst and prepare for anything: Zero Trust explainer

They say trust is the foundation of every good relationship. And in many ways it’s also true in the world of cyber security. You’re hardly going to give someone access to your network if you don’t trust them to do the right thing.

In years gone by, a trust-based approach to corporate IT might have been good enough. After all, we assumed the network was for employees only, and they were fully vetted before they were offered the job and allowed in the front door… right?

However, times have changed – and how. While the HR department still has a role to play when it comes to employee screening and trust, other factors have made life more complicated for in-house IT professionals. These include:

• IT environments are far more complex than they were a few years ago. More employees want access to remote working options. They also want to be able to use a range of unofficial or non-sanctioned cloud-based tools (also known as “shadow IT”) to be more productive.
• Cyber threats are increasing in number and sophistication, which makes it harder to anticipate and prepare for them. Last year the Australian Cyber Security Centre received 76,000 cyber-crime reports – up 13 percent on the previous year. Cybercrime cost the Australian economy an eye-watering $42 billion in 2021.
• Many of the cyber events we see today don’t raise concern in the early stages, because they involve authorised (read: trusted) users who are accessing authorised resources in seemingly normal ways.

As a result, IT teams are facing the increasingly stressful task of protecting the corporate network from threats and invaders – all while pre-existing trust-based cyber security strategies no longer work like they used to.

So what do you do when trust is at a premium? Lately we’re seeing more companies taking a different approach. Enter Zero Trust: the new and improved way to prevent cyber security breaches.

It also doesn’t hurt that by embracing a Zero Trust approach, you’ll be better aligned with the expectations of most cyber insurance providers around environmental maturity. While there are no guarantees, this could even mean more affordable cyber insurance – or access to insurance where it’s previously been denied.

Zero Trust in simple terms.

The Zero Trust approach to cyber security is exactly what the name suggests: trust no one, assume the worst, and be ready for anything and everything. Zero Trust is so different from previous approaches to cyber security because it assumes by default that an incident is going to happen. It doesn’t matter what preventative measures you’ve put in place – the worst can and will happen.

Think of it this way. In years gone by, we assumed that once someone was approved and vetted to be an employee and therefore in the network, they could safely access any resource or system (implicit trust). When you move to a Zero Trust model, this is no longer the case. Once you’re in, you still need to be granted permission to access resources and systems (explicit trust).

In practice, this means continually assessing what’s going on in the network and adapting as necessary. Users and their interactions must be scrutinised and access granted only as appropriate.

Sounds good, but in reality – not easy, unless you have the right help (more on that later).

How do you know if you should be moving to Zero Trust?

Before you do or buy anything, the most important part of a move towards Zero Trust is mindset. Do the leaders in your organisation (both technical and non-technical) truly understand the possible ramifications of a breach? We’re talking financial and reputational damage, as well as data loss. If the shared understanding is that the risk of a breach isn’t tolerable, then Zero Trust is probably going to be the right fit for you.

Talk to us for individual advice, but in general we recommend a move towards Zero Trust strategy for any organisation that has reasonable risk of exposure to cyber breaches. In terms of a traditional risk assessment, this might fall in the category of “possible” or above. Most organisations meet this criteria.

It’s also important to keep in mind that Zero Trust is not a single product. It’s an approach or strategy with many layers and decisions that work together to minimise the attack surface. You may already be employing some of these layers, however there’s always room for improvement.

Zero Trust, where do I start?

For most organisations, it’s not realistic to build and execute a robust Zero Trust strategy in-house. The better option is to work with a partner to deploy an Azure Landing Zone combined with the visibility of Managed Detection Response (MDR). With Microsoft being the only hyperscaler that’s also a security provider, MDR powered by Microsoft Sentinel is a logical place to begin.

MDR is a longer-term partnership with a specialist managed service provider that matches advanced threat detection, incident response and security reporting to the business context. Your partner should arm you with security insights specific to your business. In the event of an incident, you will be working with a team familiar with your infrastructure and operations.

Start your Zero Trust journey with a single step.

At Macquarie Cloud Services, we’re proud to be helping some of Australia’s leading organisations make the transition to A Zero Trust strategy. We are the only Microsoft Security Specialist in Australia to be both an Azure Expert MSP and member of MISA.

If you’d like to find out more about Zero Trust, please reach out to request a copy of our recent briefing paper for non-technical leaders. It includes some more of the technical details as well as a handy checklist for selecting the right MDR partner, so you can move forward in your Zero Trust journey with confidence.

Or, contact us on 1800 004 943 if you’re ready to kick off your Zero Trust journey today.