• First Reference
  • About us
  • Contact us
  • 23rd Ontario Employment Law Conference 📅
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Conference
  • Resources
  • Buy Policies
You are here: Home / Business / What is Zero Trust?

By Christina Catenacci, BA, LLB, LLM, PhD | 3 Minutes Read November 2, 2021

What is Zero Trust?

Given the significant cost associated with data breaches these days, now might be a good time for organizations to seriously explore the Zero Trust model of cybersecurity.

What is it?

As can be seen in NIST Special Publication 800-207: Zero Trust Architecture, Zero Trust describes an evolving set of cybersecurity paradigms that transfer defences from static, network-based perimeters to become more focused on users, assets, and resources. And a Zero Trust Architecture uses Zero Trust principles to plan industrial and enterprise infrastructures and workflows—it is designed to prevent data breaches and limit internal lateral movement.

One of the main assumptions of Zero Trust is that there is no implicit trust granted to assets or user accounts based solely on their physical or network location, or based on asset ownership. This means that it does not matter whether we are talking about a local area network or the Internet, and whether it is an asset owned by an enterprise or an individual. Enterprises have become quite complex, where one enterprise alone may operate several internal networks, remote offices with their own local infrastructure, remote or mobile individuals, and cloud services.

Zero Trust may begin with data and service protection, and can be expanded to include all enterprise assets such as devices, infrastructure components, applications, as well as virtual and cloud components. It can also be augmented to include subjects such as end users, applications, and other non-human entities.

With Zero Trust, enterprises assume that there is no implicit trust and continually analyze and evaluate the risks to their assets and business functions. Subsequently, they mitigate those risks using various forms of protections including minimizing access to resources to only those subjects and assets that have been identified as needing access, and continually authenticating and authorizing the identity and security posture of each access request.

It is important to note that Zero Trust is fluid and requires using a set of guiding principles for workflow, system design, and operations to improve the security posture of any classification or sensitivity level. It is necessary for organizations to use comprehensive information security and resiliency practices, some of which include continuous monitoring, network and system activity logging, and creating, maintaining, and enforcing data access policies.

A note on privacy—it is clear that Zero Trust requires the inspection and logging of traffic, and some of the traffic may contain private information. Consequently, organizations have to identify and address any possible risks associated with intercepting, scanning, and logging network traffic; this may involve informing users, obtaining consent by using strategies such as having a login page or banner, and educating enterprise users.

Why would an organization want to use it?

With things such as increased remote or hybrid working during the pandemic, Bring Your Own Device (BYOD), and cloud-based assets that are not located within an enterprise-owned network boundary, it is important to reduce uncertainties as much as is possible to protect an organization’s cybersecurity posture. This can be achieved by using authentication, authorization, encryption, and shrinking implicit trust zones.

Using Zero Trust can:

  • Protect customer data, including sensitive data
  • Decrease data breach detection times and prevent further damage
  • Increase traffic visibility to discover weak spots, inefficiencies, and new insights
  • Create a safer environment and optimize the end-user experience through the use of Zero Trust policies
  • Optimize a move to the cloud using a model that is more suited to modern environments

How can an organization start to implement it?

It is important to remember that using Zero Trust principles is a continual journey. It may be beneficial to start with one small system to use as a test case, and then go from there.

There are several steps that an organization can take to get started:

  • Identify assets
  • Verify devices and users
  • Map workflows
  • Define and automate policies
  • Test, monitor, and maintain

Organizations can use a number of best practices for implementing Zero Trust:

  • Identify sensitive data when prioritizing the data
  • Limit and control access by establishing limits to users, devices, applications, and processes seeking access to the identified data
  • Detect threats using continuous monitoring
  • Ensure that there is authenticated access to all resources, keeping in mind that multi-factor authentication is the foundation of Zero Trust security
  • Use least privilege-controlled access, where the goal is to eliminate unauthorized access to data and services and networks allow access rights only when absolutely necessary
  • Inspect and log all activities using data security analytics, and create user account baselines to help identify abnormal behaviours that could constitute malicious activity

Conclusion

Indeed, this may be a pivotal moment to embrace the Zero-Trust model. While “never trust, always verify” and “assume breach” may seem complicated and onerous, it can go a long way at preventing data breaches and cyberattacks, or at least minimizing the damage caused by one.

  • About
  • Latest Posts
Christina Catenacci, BA, LLB, LLM, PhD
Christina Catenacci, BA, LLB, LLM, PhD, is a member of the Law Society of Ontario. Christina worked as an editor with First Reference between 2005 and 2015 working on publications including The Human Resources Advisor (Ontario, Western and Atlantic editions), HRinfodesk, and First Reference Talks blog discussing topics in Canadian Labour and Employment Law. She continues to contribute to First Reference Talks as a regular guest blogger, where she writes on privacy and surveillance topics. Christina has also appeared in the International Association of Privacy Professionals’ Privacy Advisor, Tech Policy Press, and Slaw - Canada's online legal magazine.
Latest posts by Christina Catenacci, BA, LLB, LLM, PhD (see all)
  • What is data protection engineering? - May 3, 2022
  • Ontario Bill 88—a focus on employee surveillance - April 5, 2022
  • ENISA threat report for 2021 - March 1, 2022

Article by Christina Catenacci, BA, LLB, LLM, PhD / Business, Information Technology, Privacy / Bring your own device (BYOD), consumer data, cyberattacks, cybersecurity, data breaches, employment law, NIst, policies and procedures, sensitive data, workflow, zero trust, Zero Trust Architecture Leave a Comment

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

About Christina Catenacci, BA, LLB, LLM, PhD

Christina Catenacci, BA, LLB, LLM, PhD, is a member of the Law Society of Ontario. Christina worked as an editor with First Reference between 2005 and 2015 working on publications including The Human Resources Advisor (Ontario, Western and Atlantic editions), HRinfodesk, and First Reference Talks blog discussing topics in Canadian Labour and Employment Law. She continues to contribute to First Reference Talks as a regular guest blogger, where she writes on privacy and surveillance topics. Christina has also appeared in the International Association of Privacy Professionals’ Privacy Advisor, Tech Policy Press, and Slaw - Canada's online legal magazine.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Conference
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2022 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy