What is Zero Trust Security

Zero Trust is a combination of "never trust, always verify" combined with "least access."  Traditional security assumed if you were in the building you were allowed to go where you wanted.  Zero Trust is the digital equivalent of locking the interior doors.  The goal is to prevent unauthorized access to data and services.  Zero trust may require a change in
an organization’s philosophy and culture around cybersecurity.

Zero trusts moves from passwords to MFA and Single Sign-On.  MFA provides a higher degree of confidence that it's you rather than a hacker sitting in a dark room pretending to be you.  Single sign-on formalizes the concept of identity rather than separate systems that just consider a username and password.   SSO works based on a trust relationship established between the party that holds the identity information and can authenticate the user and the service or application the user wants to access.  It's the electronic version of a driver's license.  Other businesses trust your license is valid and in effect trust the State of Ohio to verify your identity more than they would trust themselves to verify your identity.

Older security paradigms used a simple asset inventory to track devices.  Zero Trust will not only verify the identity of the device but also verify the device is compliant in terms of having up to date patches and and anti-virus software before allowing access. 

Zero Trust encourages network segmentation.  Servers are separate from phones which are separate from client PCs.  It's expected and necessary for a PC to access a server.  It's suspicious when one PC is trying to communicate directly with a different PC.  It's the on-line equivalent of driving the wrong way down a one way street. 

 In the past, the server would attempt to authenticate the username and password of the person trying to access an application.  Now, the verification will go both ways.  The person who just got pulled over for driving the wrong way now wants to authenticate the police officer who pulled them over.

With traditional file permissions, once someone had access to a file they could copy it to a thumb drive and take the data with them.  Services like Microsoft Office will automatically encrypt and decrypt data as it's accessed.  The encrypted document will open as normal on a company owned device and will prompt for a username and password when someone tries to open the file off a thumb drive.   Traditional passwords are finding a needle in a haystack.  Encryption is like finding that same needle somewhere in the Pacific Ocean.

Probably.

When done correctly if offers a lot of benefits.  

Single sign-on increases employee productivity by reducing the time they must spend signing on and dealing with passwords. Employees need access to many apps throughout their workday, and they have to spend time logging in to each of them, plus trying to remember which password goes to which, plus changing and resetting passwords when one is forgotten. The wasted time adds up.

You might think that SSO is the same as just using the same password for all the systems - which is bad.  However, the reality is that with good practices, SSO significantly decreases the likelihood of a password-related hack. Since users only need to remember one password for all their applications, they are more likely to create solid, complex and hard-to-guess passphrases. 

Nearly 50% of helpdesk calls are password or logon related.  Fewer passwords to remember means reduced costs.

Data encryption and Data Loss Prevention improve your security and protect your data in ways that traditional security cannot.