Zero Trust Consulting

What is Zero Trust?

The term zero trust refers to a cybersecurity approach that challenges the "traditional", perimetric security model. It is based on the principle of never trust, always verify, requiring verification and authorization for every user, device, and application attempting to perform a transaction, regardless of their location or prior authentication. This proactive strategy reduces an organization's attack surface, spanning from on-premises to cloud environments, and constrains potential breaches and latteral movement.

Zero Trust is not one single piece of technology but a combination of several principles and technologies, such as identity access management (IAM) and strong identity verification, continuous monitoring and validation of connections, device security and compliance checks, mutual and multi-factor authentication, microsegmentation for breaches containment and latteral movement prevention, least privilege access and attribute-based access control (ABAC), setting access policies based on the attributes of the data, user identity and environmental information, and several more.

Remember that the transformation of your cybersecurity architecture, from perimeter-based to zero trust, will not be a single project but an iterative process, incorporating several smaller projects, each one dealing with a specifc use case.

Term History

The first occurrence of the term can be traced back in April 1994, when "zero trust" was conceived by Stephen Paul Marsh in his PhD thesis on computer security, who considered trust as something finite that can be described mathematically, asserting that the concept of trust transcends human factors such as morality, ethics, lawfulness, justice, and judgement.

In 2003, the challenges of defining the perimeter to an organisation's IT systems was highlighted in a presentation by Paul Simmonds of Jericho Forum, discussing the trend of "de-perimeterisation".

In 2009, Forrester's research analyst John Kindervag publicized the term in his well-known article, No More Chewy Centers: The Zero Trust Model Of Information Security, presenting the idea that all traffic should be considered untrusted, irrespectively of location, users and applications and that a least privilege strategy along with strict access controls, continuous traffic inspection and logging should be enforced.

Zero Trust Strategy

The zero trust initiative starts with the definition of the zero trust strategy. It is the guiding document which describes the principles and relevant actions to fullfil it. Since zero trust is a transformative procedure, there is always a risk of resistance or failure to the realization of benefits. A zero trust strategy requires:

  • definition of initiative scope, priority, objectives and expected outcomes, captured and properly commuicated in a business case
  • input from all stakeholders and definition of clear responsibilities
  • definition and execution of a communication plan
  • alignment with the wider technology strategy and risk management framework

Maturity Assessment

The execution of the zero trust strategy requires a roadmap. The assessment of the current and target state provide such a roadmap, using widely accepted maturity assessment frameworks, consisting of the following activities:

  • determination of current and target state
  • gaps mitigation roadmap
  • particular implementation requirements

Definition of Attack & Protect Surfaces

Contrary to the conventional approach to perimetric network security which focuses on the attack surface at a macro level, setting granular controls to protect Data, Apps, Assets and Services (DAAS) is part of the the definition of a protect surface.
In that way, controls can be placed as close as possible to the assets belonging to that protect surface, resulting in micro-perimeters.
Discovery and mappign of transaction flows is a core activity of this phase, since it allows to identify interaction points and information flow paths across the network, so tha controls are designbed and appliced properly.

The attack and protect surface can be considered the 2 sides of the same coin; the attack surface reduces as the protect surface gets more defined.

Development of Zero Trust Policies

In a zero trust arhitecture, access and visibility to resources is controlled by policy enforcement, since continuous validation of the user and the device is made, prior to allow any access. It is obvious that policies will govern implementation; thus, proper planning and maintenance are required.
Following a proven and structured method, our specilists can assist with the definition of all required policies.

Architecture Design

The transformation of the current architecture towards the zero trust paradigm is achieved during this phase, by defining target considerations pertaining to the 5 pillars (Identity, Devices, Networks, Applications and Workloads, Data) and the 3 cross-cutting capabilities(Visibility and Analytics, Automation and Orchestration, Governance), driven by the underlying business case and the wider business objectives.

Ongoing Advisory

Our Zero Trust consultants provide regular oversight, assessment and adjustment of your Zero Trust state. Since Zero Trust is not a destination but a journey that involves a radical shift in the perception of security, the ultimate objective is to transform your organization's staff to Zero Trust practitioners.

Our ZT specialists are more than happy to discuss about your ZT journey!


Latest News

Ukrainian NBU BankID System preparing for EU recognition

SpearIT is pleased to announce that has undertaken the preliminary conformity assessment of Ukraine's BankID national electronic identification scheme, ...

Read More

Cypriot National eID becomes notified

SpearIT is pleased to announce that the electronic identification (eID) scheme of Cyprus has now been notified as LoA High...

Read More

Cypriot National eID becomes pre-notified

SpearIT is pleased to announce that the first Cypriot electronic identification (eID) scheme has now been pre-notified in the eIDAS Cooperation Network...

Read More