Zero-trust sounds extreme.
Humans like to trust. We trust everyday as we drive down the street that the people coming the other way will stay in their lane. We trust that the restaurants we visit prepare our food properly and hygienically. We trust that our doctor knows what they are doing when they give advice and so on. It’s natural to trust.
But in IT networks, in this high-threat world, can we afford to trust?
With so many threats – infected websites, malware, trojans… how can we trust the computers near us are as ‘clean’ as our own?
In the old days (only a few years ago!!), we used a firewall and a corporate anti-virus to keep us safe. We could scan email, monitor websites and prevent threats from entering our business environment. But with people moving around, connecting their laptops and phones anywhere and everywhere and guests coming into our offices, can we do that any more? Can we trust the machines near us? A ‘worm’ entering our network, or an infected file being shared can spread even if the firewall and antivirus are up to scratch.
Zero-trust is the idea that you shouldn’t automatically trust the computer next to you. It’s an idea that large corporates (even Google) have adopted. With more and more people connecting from hotspots (the Koru lounge or a local café WiFi) or even working from shared offices, you can pretty much guarantee that someone around you is infected with the IT equivalent of the flu, or something even worse.
So what do you do?
- You need antivirus and anti-malware that works deeper than ever before and that you can manage across all your IT assets, even the ones that aren’t in your office much, if at all;
- You need layers of security protecting where you store files (hopefully in the cloud – using a strong identity provider like Azure AD -refer to https://cloudblogs.microsoft.com/microsoftsecure/2018/06/14/building-zero-trust-networks-with-microsoft-365/);
- You need firewalls working on each PC, and you need to know they are maintained and operating;
- Within your corporate network, security should be applied at a connection level based on user and location. Unnecessary services should be blocked, so that only valid users can access authorised tools (this often means more sophisticated networking equipment and firewalls);
- Apply ‘least-privileged’ access and strictly enforce/audit user access – people only get rights to what they need;
- “Always verify” by checking logs, checking security rules and periodically make sure that even old security settings are reassessed to see if they are still valid ;
- Use multi-factor authentication; and
- Finally, because we can only minimise risk (it can’t be eliminated altogether), you need the ability to recover quickly.
KARE for Security complements your existing maintenance contract with an enhanced security package, designed for the modern cloud-anywhere world. It’s a mixture of tools that go beyond traditional IT support to help you harden your ICT against intruders.
What more can you do? Cert NZ is the NZ Government Cyber Security unit – it’s worth reading their top recommendations – https://www.cert.govt.nz/it-specialists/critical-controls/ – you’ll see that a Kinetics KARE plan helps you minimise your risk
Want to know more about how Kare for Security can enhance your protection?