Zero trust security 101: What Australian business owners need to know

zero trust security

Many Australian businesses need to rethink their approach to security as data breaches are reaching record highs. In 2019 alone, organisations across the country reported 997 data breaches, which was much higher than in previous years. The causes for these breaches were varied, but they were usually because unauthorised users gained access to sensitive information.

Firewalls and antivirus software are not enough to prevent these threats, especially because users are accessing apps and data from multiple devices and locations. Australian businesses need a zero trust approach to cybersecurity.

What is zero trust?

Zero trust is a security concept that states that organisations should not trust anything outside and within their network perimeters. Instead, they must verify everything trying to connect to business systems before granting access. ‘Everything’ in this context refers to users, devices, apps, and networks.

With zero trust security, organisations can mitigate the risks associated with an increasingly cloud-based and mobile-reliant IT infrastructure. It performs multiple checks to determine that users are who they say they are, preventing account hijacking and insider threats. It tracks company-registered devices to ensure they’re malware-free and safe to enter business systems. Zero trust security even verifies locations to stop anyone trying to access company files from suspicious networks and IP addresses.

However, there are many technology solutions and steps involved in implementing a zero trust security model.

Enable multifactor authentication (MFA)

MFA is a core component of a zero trust security framework because it requires multiple credentials when authenticating users. Passwords alone are insufficient for verifying identities and logging in to accounts. Users will also need to provide one-time SMS passcodes, fingerprint scans, or facial ID. By enabling this, the security of your accounts and data won’t solely revolve around setting a strong password. MFA fully confirms a user’s identity before letting them through, curbing threats like brute force attacks and phishing scams.

Australian businesses are even taking MFA a step further and removing passwords from the login process. Programs like Windows Hello that verify users by biological characteristics are being used in conjunction with codes generated from mobile apps. This way, companies never have to risk their security on employees who set and recycle generic passwords for multiple accounts.

Utilise microsegmentation

Microsegmentation is the method of creating distinct zones in data centres for individual workloads and applications. Each zone is isolated from one another and allows administrators to set security controls unique to each zone. For instance, you can set specific authorisation levels for accounting applications and create unique policies for marketing software within your network.

What’s more, users with access to one zone won’t be able to access another zone without separate authorisation. This limits an attacker’s ability to move laterally through a data centre, even if they manage to infiltrate your company’s firewalls. In other words, isolating applications and workloads from each other through microsegmentation minimises the potential impact of a cybersecurity incident.

Set adaptive access policies

When implementing a zero trust security model, you must limit access privileges for users. They should only have permission to view and use the files and resources they need to do their jobs. This means an associate-level graphic designer should not have access to the same apps and files as a mid-level accounting manager.

In addition to access policies based on job roles, you can set restrictions depending on applications, devices, and locations. Access management tools like Duo can grant or block login attempts based on the network address users are logging in from. It can also be programmed to provide limited data access to company-registered devices being used outside the corporate network.

Establish trusted devices

Validating the safety of devices is key to zero trust security. Every device used to access company files must be registered in your endpoint management system so it can be verified and monitored at all times.

Duo’s device remediation features evaluate the health of company-registered devices and ensure they meet security requirements. Duo looks for security issues like outdated operating systems, unpatched firewalls and antivirus software, or signs of jailbreaking. If the device is deemed unsafe, login attempts are blocked and access privileges are denied until the issues are resolved. This enforces the idea that only employees who proactively fix device security risks should be granted access to company resources.

Zero trust security frameworks are quickly becoming the norm, but it’s not something you set and forget. Devices must be constantly updated, access privileges should be reviewed frequently, and employees need security training. Handling these tasks and implementing the technology required for zero trust can be tough, and that’s why you need Empower IT. As one of Australia’s leading managed IT services providers, we offer the best solutions required for zero trust security. Call us today — whether you need Duo security systems or expert advice.