Zero Trust: security in an ever more complex world

20.06.2022

The IT landscape, the social context and the nature of cyber threats are very different from how they were just 10 years ago. Protecting your IT infrastructure thus calls for a different approach.

The IT landscape has changed radically over the past decade, with new technologies and new practices – but also new threats. That means the previous approach to security is no longer sufficient. We talked with Simen Van der Perre, Strategic Advisor at Orange Cyberdefense Belgium, which forms part of the Orange Group, about the evolution of the IT landscape and what this means for your security.
 

Evolution of the IT landscape

The move to the cloud was a first evolution that led to an important change. “Previously, a company’s applications ran in their own data centre, where their data was also located,” Simen Van der Perre recalls. “At that time the key task was to shield your data centre from outsiders as effectively as possible. Today a great deal of company data is located in the cloud, for example in Azure, AWS or an SaaS application. A hybrid situation is often involved, where you’re still running some of your applications on your own servers and some of them in the cloud. Protecting all of that from intruders is already a great deal more complex.”

“The transition to the cloud and hybrid working make the security of your IT infrastructure a lot more complex.”

Simen Van der Perre, Strategic Advisor Orange Cyberdefense Belgium

In addition, more and more users are now working from different locations, a trend that has been accelerated by the pandemic. “Employees can now access their company’s data and applications from anywhere in the world. This is clearly an accelerator for the digital transformation of companies, and it offers many advantages. But again, it makes security much more complicated.” Add to this the many devices that have to connect with the company network, including IoT devices that are often less well protected, and the challenge, says Simen Van der Perre, becomes even more daunting.

He summarises the current state of affairs this way: “We’re coming from a situation a few decades ago where you could simply say: all network traffic that comes from the internet is not to be trusted, we trust our own data centre and users, and we will install servers that have to provide services to the internet in a sort of demilitarised zone. Back then we configured a firewall to keep out what couldn’t be trusted and allow in what could be. As soon as users had logged on to the network, we trusted them. This method was called ‘trust but verify’. But today the users, data and applications are everywhere, so the threats can come from literally anywhere – meaning that we need a totally different security model.”

“The ‘trust but verify’ method that was common earlier is no longer sufficient.”

 

Simen Van der Perre, Strategic Advisor Orange Cyberdefense Belgium


Never trust, always verify

That new model, which has been developing since 2010, is called Zero Trust. “The default posture is that we no longer trust users,” Simen Van der Perre explains. “Only after verification do they get access to the data and applications they need. Users must therefore continuously justify themselves. We call this method ‘never trust, always verify’. With the Zero Trust model, we also verify users on a continuous basis. Every time a user logs on, we collect all kinds of parameters about the context. Which device the user logs on with, using which web browser, and from which location? If the next time the user logs on one of those parameters has changed, we ask for extra verification, for example with two-factor authentication.”

So, previously, the perimeter between the trusted and untrusted part of the network was the most important factor for security. There was an “outside” and an “inside”, and businesses worked to keep external threats out. Today the identity of the user is the most important factor. “You can now take the user’s identity into account in the configuration rules of many security tools,” says Simen Van der Perre.
 

Zero Trust architecture

Orange Cyberdefense defines a Zero Trust architecture in three layers, he explains. “We have a security layer, which imposes various rules such as who receives what access. Tools such as anti-malware, a firewall, URL filtering, security monitoring, sandboxing and so on are at work in this layer. Below that we have an identity layer, which handles everything to do with user identity. That could be multi-factor authentication, authorisation, single sign-on or user provisioning. And finally, at the very bottom, we have the network layer. That’s where the classic network technologies such as routing, VPNs, SD-WAN, guest access and network access control are located.”
 

Ongoing process

According to Simen Van der Perre, the changeover to a Zero Trust approach should begin from the perspective of the business. “First of all, define your protect surface: what data, applications, assets and services do you have to protect? With Zero Trust, therefore, we work from the inside to the outside. Then we map out the transaction flows: who needs access to what data, where is this data located, and what other applications are necessary for them? With this information, we can then configure the tools in the security, identity and network layers.

“Zero Trust isn’t an all-or-nothing model, where you immediately protect everything according to this approach. You can change over step by step. And it doesn’t make very much difference whether you begin with the security layer, the identity layer or the network layer,” he says. “You can approach Zero Trust from every side, and ultimately all of these sides do come together. So Zero Trust isn´t a product, but a shift in thinking. It’s a way in which you look at security.”

“Start with the components whose impact on your business is small. That way you get to know Zero Trust and you can still make mistakes.”

 

Simen Van der Perre, Strategic Advisor Orange Cyberdefense Belgium

 

Simen Van der Perre recommends starting with a few components whose impact on the business is relatively minor. “That way you can safely become acquainted with Zero Trust and you can still make mistakes. Then you notice, for example, that specific applications depend on other applications, or you learn how to react in certain security situations. After this learning process, I recommend incorporating somewhat less critical components into your Zero Trust approach, in order to get an even better feel for it. Only then can you address your ‘crown jewels’: your critical data and applications.

“After this configuration the work still isn’t done, because security is an ongoing improvement process,” he emphasises. “It’s important to constantly monitor your IT environment. What’s happening, what threats or attack do we see, does everyone still have the correct access rights? With this information we can continuously adjust and optimise the security configuration.”

 

 

Ready to work with Zero Trust ? Download our handy guide.

Hello, Interested
in our offer?
Welcome to
Orange Business.

Thanks for your interest in our offers, let's schedule a meeting.

Are you already an Orange Business customer?