Zero Trust Architecture: Building resilient services for today's threats

by Ian Rowe - Technical Security Consultant
| minute read

In today’s ever-evolving security landscape, it’s crucial for security and defence programmes to keep classified systems, communication channels, and technological infrastructure running smoothly. The concept of relying solely on a strong outer defence, once thought to be the best way to safeguard digital assets, has been challenged by the evolving threat landscape and the recognition that perimeter-based security measures are no longer sufficient to protect against sophisticated cyberattacks. In this blog, we explore Zero Trust Architecture (ZTA) and its role in strengthening an organisation against modern cyber threats, to improve resilience and increase the flexibility and ability to respond to changes in both threat and risk profile. 

Understanding Zero Trust Architecture

Traditional Security Models focus on protecting the perimeter and assuming that once inside the network, users and devices can be trusted. The main weakness of a traditional security model is relying too much on the perimeter of the network for protection, which can lead to assuming trust once inside and not adequately guarding against internal threats. ZTA verifies all requests against policy, using strong authentication to enforce controls to ensure secure interactions and data protection. This means a fundamental re-thinking of how we authenticate users, devices, and services, as well as how we monitor and manage network access. 

The transition to Zero Trust Architecture  

Transitioning to ZTA is not a one-time event but rather a journey and can’t be achieved by just replacing one set of technologies with another. It requires a holistic approach that goes beyond replacing existing technologies. Even ZTA can’t remove all uncertainties and risks, its goal is to focus on reducing areas of implicit trust. How we reduce these areas depends on how much risk a business is willing to take, balanced with what the business needs to accomplish.  

There is no right or wrong way to do this, or one definition of exactly what constitutes zero trust. Many best practices and architectures exist, depending on the context of where it is being implemented.  The UK NCSC Zero Trust Architecture Principles and US National Institute of Standards and Technology (NIST) SP 800-207 Zero Trust Architecture are two useful examples of supporting guidance that can be used when considering ZTA.  

Secure by Design: A Framework for Zero Trust Architecture 

In the real-world setup of ZTA, our Secure by Design approach offers a way of designing and implementing ZTA while managing risk and keeping business going. Secure by Design (SbD) aims to work with any system or approach, including zero trust, no matter the security level. With SbD, security controls are put in place, checked, and tested regularly, to re-inforce the ZTA principles.

By applying the five key SbD principles detailed in our Secure by Design approach here,  we can start to align them to Zero Trust principles, providing a foundational framework for the design of ZTA.   

  • Categorise – To implement ZTA, you need to understand the network and its resources, along with how much risk the organisation is okay with. This will help identify high value data and services that may need to be prioritised over others. This categorisation will guide decisions about how to design based on risks.  
  • Select – ZTA relies on the underlying controls around identity and authentication, and these will need to be selected based on the balance between risk appetite and business requirements, fed by the previous categorisations.  
  • Implement – To be effective, the correct implementation of ZTA is crucial. It may not be possible to implement ZTA everywhere straight away, it may have to initially target high value data areas and expand as required. This requires a risk based, agile approach to implementation, to ensure ability to respond to changes in risk profile, as well as to implement changes in a sustainable, repeatable way.  
  • Assess – Continual assessment in ZTA is critical, to understand the effectiveness of controls in place, as well as to respond to any changes in the landscape. This continual evaluation of the environment helps to gain confidence dynamically, allowing the solution to flex based on value and risk. 
  • Monitor – ZTA requires monitoring focus on the behaviour of users, devices and services. This will help establish cyber health, and improve visibility and correlation, which in turn feeds into risk-based decisions in the evolution of the ZTA solution.

Both ZTA and our SbD principles have evolved in response to the dynamic technical landscape we operate in, with both looking to change traditional security models. This aims to improve resilience and the flexibility to respond to changes in threat and risk profile. It is imperative for security professionals to grasp and implement these principles effectively as cybersecurity risk should be considered as business critical.

Read more about our Secure by design approach

Read more about supply chain security

Search
Ian Rowe

Ian Rowe

Technical Security Consultant

More about Ian Rowe

cyber-security-and-resilience

Related content

Safeguarding your supply chain in today's dynamic landscape

In a time where supply chain threats are on the rise, the need for robust safeguarding has never been more critical. Read more to find out how to ensure security within your supply chain through four important steps.

Inspiring the next generation of scientists, engineers and tech experts at the Cheltenham Science Festival 2022

Our team enjoyed the opportunity to engage with the next generation of scientists and engineers, experimenting with tech and exploring careers within the exciting worlds of cyber, digital and tech.