Technology series: Zero Trust defined - in a few words

Technology series: Zero Trust defined - in a few words

“Never trust, always verify” is the Zero Trust axiom, but what is Zero Trust and why is it important?

The latest instalment in our Technology Series outlines six basic tenets of a software engineering concept that could be adopted to the benefit of insurance underwriters... Less room for bad actors to manoeuvre, less opportunity for widespread loss...

Zero Trust is a term that was coined by Forrester back in 2010. The original concept was a data-centric network design that made use of segmentation in order to enforce more granular policies, which had the effect of limiting lateral movement by malicious actors (human and software).

Zero Trust tenets are defined as such:

  • Verify Who
  • Contextualization of the Request
  • Secure Admin Environment
  • Grant Least Privilege
  • Audit Everything
  • Adaptive Control

Verify who is requesting access: Normally done via a directory service (such as Active Directory) that is vetted by HR & IT, so that when someone leaves the company, his/her accesses are revoked immediately. MFA must be implemented in order to verify the “who” is who it says it is?

Contextualizing the Requests means that, for example, you should have different policies depending on the departments. Someone logging in from HR should not have access to resources on the engineering network and vice-versa. Least privilege in this case simply means that you have a minimal set of rights as your baseline.

A Secure Admin Environment is a “sand-boxed” environment so to speak. The servers that the admins use with privileged access should be secluded and not have internet access at all. They should only be able to talk to the devices on their LAN. If the servers are Windows servers, you should have a machine that gets updates from Microsoft and use that machine as the internal update server.

Granting the Least Privilege is a way to limit lateral movement of malicious actors. No one should have root/administrator access to a server either, and certainly, SSH sessions should never ever allow root login.

Auditing Everything can be used for a lot of different things, such as forensics, attribution of actions to specific users, etc.

Providing Adaptive Control means that one could make use of ML algorithms for behavioural analysis or comb through millions of events.

The CyberCube engineering team identified a potential use of this software development concept for its insurance clients: If insurers were to entice their customers to adopt Zero Trust wholly, it would have the effect of potentially reducing breaches somewhat drastically, therefore minimizing the costs of remediation for both the insured and the insurer.

Zero Trust is also very much relevant when it comes to cyber risk, considered that cloud infrastructures are built on-demand at scale without traditional IT. If you follow the Zero Trust model, this can help you improve security without impacting operation aspects.

 

"Less room for bad actors to maneuver, less opportunity for widespread loss..."
Download Resource