Building a Zero Trust Culture at Work

Australia, Mar 26, 2024

Published by Logicalis Australia
Author: Tim Davoren

Building a Zero Trust Culture at Work  

The way we work together in modern business has changed in recent years. We're increasingly relying on collaboration and co-delivery with partner organisations to achieve business goals and remain competitive. Sharing technology and access is needed to get the job done, but how much should we trust our own resources as well as those of other organisations? That's where the principles of zero trust security come into play.   

What is zero trust?

The notion of "zero trust" is a security assurance philosophy emphasising that no person or entity, either inside or outside the network, should be considered trustworthy unless their identification has undergone a comprehensive verification process. Stephen Paul Marsh first created the term in 1994 in his thesis on computer security, where he looked beyond human factors to quantify trust in mathematical terms. The expression shares a similar sentiment to the “trust, but verify” phrasing used by U.S. President Ronald Reagan when talking about nuclear disarmament with the Soviet Union.  

In 2010, Forrester researcher John Kindervag popularised the term by outlining a security model where organisations never automatically trust anything inside or outside their security perimeter. His approach called for stricter access control and continuous verification, which continues to be a hallmark of today's zero trust principles.

Rather than focusing on a single strong outer perimeter to keep threats out, zero trust recognises that threats can also come from within. A zero trust approach requires continuous verification, stricter access control on an as-needed basis and the creation of smaller protected zones within a network. These controls and layers help safeguard against threats and limit the impact and spread should a threat breach the outer perimeter.  

Adopting zero trust security across an organisation is neither a simple nor speedy process. To succeed, it requires considerable buy-in from leaders and teams that can have competing interests within an organisation. It's an ongoing commitment to security where some trade-offs to freedoms or performance need to be made, with the understanding of how it improves the overall security posture of data, networks and technology.  

As global cybersecurity concerns continue increasing, many governments, businesses and organisations are switching to zero trust practices to protect their data, networks and technology. In 2021, the U.S. Government ordered its agencies to switch to zero trust architecture in line with national technology standards. Closer to home, the Australian Government has said it will develop a whole-of-government zero trust culture as outlined in its latest cybersecurity strategy.

Zero trust at work in the Essential Eight  

The Australian Government, through the Australian Signals Directorate (ASD), curated the Essential Eight, a list of the most effective strategies to protect organisations from cyber-attacks. Some zero trust principles already align with the Essential Eight and give an added reason for organisations to pursue both. These include:

  • Patching applications and operating systems
    Both zero trust security and the Essential Eight emphasise the importance of keeping software up to date. Exploiting outdated software vulnerabilities is a common attacker tactic. Zero trust's focus on least privilege and micro-segmentation can limit the damage even if a vulnerability is exploited. However, timely patching remains crucial for preventing breaches in the first place.
     
  • Implementing multi-factor authentication
    Zero trust strongly advocates for multi-factor authentication (MFA) methods that require user interaction through challenge and response codes, adding an extra layer of security beyond passwords. Similarly, the Essential Eight mandates MFA for privileged access and remote desktop protocols. This shared emphasis on MFA makes it significantly harder for attackers to gain unauthorised access, even if they steal credentials.
     
  • Greater application control
    Zero trust's principle of least privilege translates to restricting users and applications to only the resources they need. This aligns with the Essential Eight's recommendation of using application whitelisting to block unauthorised applications. By only allowing trusted applications to run, the attack surface shrinks, making it harder for malware to infiltrate the system.
     
  • Hardening user application settings
    Both approaches advocate for hardening user applications to disable unnecessary features and functionalities that could be exploited by attackers. This could involve disabling macros in Microsoft Office applications, as recommended by the Essential Eight, or restricting browser extensions and plugins within a zero trust framework. In the near future, even application control that currently relies on code signing for verification will be extended to require continuous certificate checks.  

Implementing zero trust principles and a zero trust culture  

As indicated above, implementing zero trust across an organisation is no small feat. It requires dedication, persistence and considerable buy-in from stakeholders across the business. Building an organisation-wide security culture is essential for the ongoing success of the zero trust approach.  

Aside from implementing specific infrastructure, access controls and updating processes, team members also need to be considered and provided with adequate levels of training. Understanding how they can help maintain overall security makes them more likely to support the additional processes required for continuous verification and identity management.

This is where technology providers like Logicalis can help provide support as a trusted security partner. With expertise across major business technology platforms, tools and processes, such as Microsoft Azure, Logicalis can help ensure your zero trust plans stay on track. The Zero Trust Assessment Framework from Logicalis helps customers explore zero trust across devices, identity, network, applications, collaboration and data. These exercises draw on globally recognised frameworks for Zero Trust to assess current approaches and allow Logicalis to provide recommendations matched to each customer’s business, maturity level and budget considerations.

In Australia, the Logicalis team help clients design solutions and implement Essential Eight and zero trust principles across their networks, data and technology. These include implementing Identity Access Management, to network segmentation, to ensuring data security and integrity. Aside from developing specific projects and solutions, Logicalis also offer continuous monitoring and round-the-clock threat detection through its Managed Services team.

Contact our team if you'd like to learn more about zero trust architecture and how it can help your organisation improve its security posture. 

Related Insights