Home / About / Insights / The Zero Trust Model

Published: 28th April 2022 | In: Insights

What is zero trust?

Zero trust has been variously described as an idea, a concept, a strategy and a model, among other things. All of these terms are correct. The zero-trust approach to security has three key principles:

  • Verify explicitly: always authenticate and authorise everything
  • Use least-privileged access: limit user access with just-in-time and just-enough-access to tighten data security
  • Assume breach: compartmentalise infrastructure to minimise any damage, verify end-to-end encryption and use analytics to detect any threats and strengthen defences.

The mantra you’ll see time and time again is “Never Trust, Always Verify”.

The last few years have shown us that cyber-attacks have become more frequent, increasingly sophisticated and far more difficult to prevent and respond to, especially in large, complex networks. As millions more people had to work from home during the pandemic, employees and organisations became more vulnerable to cyber threats such as phishing and ransomware.

No longer can we assume that downloading the latest anti-virus software and changing our passwords now and then is enough to prevent cyber criminals from doing us harm. A much more robust approach is essential.

That’s why the cyber security industry strongly recommends that every organisation employs a zero-trust strategy to safely operate in today’s increasingly hostile digital world. Zero trust isn’t a fixed, rigid model, it’s a dynamic one that will continue to be strengthened to meet any challenges that emerge in the future. And it will evolve to adapt to how people work together.

What are the guiding principles of zero trust?

A zero-trust approach means that every identity, component and even the network is verified and secured on a regular basis, whether it’s a smartphone, an Internet of Things (IoT) device, an app or a piece of hardware sitting deep inside your infrastructure.

This means that least-privilege and just-enough access rules are put in place for people, services and devices across the entire IT ecosystem. Two-way authentication ensures that every entity is verified. And muti-factor authentication is applied whenever users need access to anything,

Traditional thinking on security was that anything outside the organisation was untrusted and potentially dangerous and everything inside was trusted and safe. Zero-trust thinking is fundamentally different. It assumes that a breach has already occurred inside your enterprise and any damage needs to be minimised. With this in mind, the tools used to apply zero trust compartmentalise different parts of the IT infrastructure to reduce the chances of a virus spreading. Monitoring is continuous, as are end-to-end encryption and automated threat detection and response.

This all might seem draconian, but if zero trust is applied properly, step by step, then there’s no reason why it should put barriers up or slow your organisation down. In fact, it’s designed to help everyone become more efficient while minimising risk as much as possible.

Why adopt zero trust?

Every company, government department, charity and university supports employees, students, researchers, data and applications that are remote, so the IT architecture needs to be flexible as well as being secure. Zero trust is designed to enable this flexibility while providing the extra security.

That’s why cyber security agencies around the globe, including the UK’s National Cyber Security Centre (NCSC), have been championing and evangelising the many advantages of zero trust for several years now. It’s better suited for today’s common threats, such as attacks via any device or entry point and compromised user accounts, than the traditional view of security.

Some organisations have already employed the zero-trust security approach to their entire digital estate. They have shown that it has improved users’ overall experience at work and increased their productivity. Individuals, teams, departments, companies and institutions have become more agile and flexible as a result. Other key benefits include smoother collaboration between different organisations, and better visibility of devices and services across enterprises.

However, there are several points to consider before embarking on a journey to zero trust, including cost, preparation and the resources and effort required, as detailed by the NCSC.

How can anyone build these principles into their organisation?

While the private, public, charity and higher education sectors each have their own characteristics and challenges, the zero-trust approach promises to help protect any organisation, regardless of whether its community works on site, remotely, or in a hybrid working model.

However, while the principles are the same the world over, the implementation journey will be different depending on the organisation’s infrastructure and their specific needs. That said, anyone can start taking the first simple steps to zero trust security. And there are plenty of resources to call upon to help guide the way.

Gartner has set out its recommendations for starting the journey to zero trust and Microsoft has published a wealth of information about zero trust.

How do Microsoft Security solutions enable zero trust?

Microsoft takes cyber security extremely seriously and its whole security business is now built on the foundation of zero trust. It has promised to invest $1B dollars into security every year, money that goes into research, new product development, and building security into existing products. Its holistic approach is built upon the three pillars of platform, intelligence and partnerships. The company regularly shares its vision, research findings and best practices with its customers and partners in the wider economy.

Cyber security is complex and global, and Microsoft acknowledges that it’s not a problem it can solve alone, but one that a whole ecosystem of like-minded organisations, national security agencies and industry standards bodies must tackle together.

Why partner with Quorum Cyber? 

As a Microsoft Gold Partner and member of the Microsoft Intelligent Security Association (MISA), Quorum Cyber is a Microsoft-only house because we believe they have the most holistic approach to security, and have integrated their security thinking, policies and practices into everything they do.

We’re dedicated to delivering cyber security services to reduce the risk of breaches and attacks. Our single purpose is to help organisations of any size in any industry sector safely and confidently operate in an increasingly hostile digital environment.

Ready to start your zero-trust journey?

Quorum Cyber’s skilled and professional teams of cyber security professionals use Microsoft Sentinel to provide a bird’s eye view across enterprises of all sizes. Contact us if you’d like to discuss how we can help you get started.

Want to read more of this series?

If you would like to read part one of this series, please take a look at the article ‘Why Higher Education Institutions are a prime target for cyber-attacks?‘ where we explain how we’re helping them to manage their cyber security risk.

We’ll publish part three, in which we’ll explain how to make the most of your investment in Microsoft A5 licensing, in May.

Cyber Security Incident Response for everyone

If your organisation suffers a cyber-attack or breach, there’s no need to panic. Contact the Quorum Cyber Incident Response Team for immediate assistance on +44 333 444 0041. Our team operates 24×7 to protect your organisation.