Zero Trust: Why Your Firm Should Care
The continued demand for lawyers and staff to access their firms’ sensitive information remotely has brought a host of security challenges. Some firms have found a solution to these risks in the form of ‘zero trust’ security protocols.
Steve Whiter, director at Appurity, offers an explanation of the concept of zero trust and the circumstances under which it might be right for your firm.
Zero trust – it sounds ominous. Is it impossible to have even the slightest smattering of trust in anything? Sadly, when it comes to your firm’s cybersecurity, a zero trust approach is becoming a de facto standard.
In essence, the notion of zero trust in terms of security is the mantra that you do not automatically trust anything inside or outside of your network perimeters. Rather, you must verify anything and everything that attempts to connect to your IT systems before access is approved. Why has it become necessary to adopt such seemingly draconian security measures? In a word, breaches.
Your firm (and all the others) handle a great deal of sensitive information – that is the nature of the beast. We are talking about things like corporate intellectual property, personal client information and even financial data. It is also likely that a significant proportion of this information is accessible to your people via their smart devices or laptops. If you factor in the massive increase all firms have witnessed in the COVID-enforced remote working habits, then the demand for accessing your firm’s networks from outside the ‘normal’ perimeters will have probably sky-rocketed. Your firm’s IT team needs to grapple with an entirely different IT landscape… one which operates largely outside of the traditional centralised network.
With these challenges come the opportunities for cybercriminals to get their hands on all of that valuable information. The attack surface is now much larger, potential entry points more numerous. Under these circumstances, a zero trust approach to your security really does begin to make sense as you look to lock down your defences.
But before you fully commit, what are some of the considerations to take into account before investing in Zero Trust Network Architecture (ZTNA)? Here are the key factors.
In essence, the notion of zero trust in terms of security is the mantra that you do not automatically trust anything inside or outside of your network perimeters.
Ease of deployment
An important facet of your initial considerations should be the ease of deployment and scale, i.e. whether any investment will support the firm’s needs to allow for appropriate growth and expansion. Any successful implementation relies on simple and straightforward onboarding processes for users. Similarly, stick with technology that is easy to manage and that does not require a particularly specialised skill set. Also bear in mind what deployment model suits your needs best – on premises, SaaS-hosted or perhaps a private cloud?
The challenge of legacy apps
‘Legacy apps’ are software programmes that are outdated or obsolete. Such apps are part of the network and could be things like the mainframe or HR systems, which are too commonly left out from the ZTNA. With the proliferation in working from home (WFH), the use of remote desktop protocol (RDP) has gone through the roof, so check with your intended solutions provider exactly how support for RDP will be achieved.
Historically, many legacy apps throw up the challenge of being too expensive to re-architect the systems in which they exist. If, in that case, such legacy apps are ignored in the ZTNA approach, they can become the weakest link.
Conditional access
We have already touched on the impact that COVID has had on remote working. However, the truth is that this shift was already starting to happen before the pandemic, with firms planning on the cultural and technical changes that needed to be made. Though it remains unclear for most firms precisely how their people will be working moving forward, it is clear that some kind of flexible working arrangements will exist. Whether it is remote, WFH or hybrid, your people will still need secure access to any applications.
To make things easier, your firm can protect access to apps by employing a management process known as conditional access. In this way, a single policy per user can provide access to an application, whether that person is working from home or at the firm’s HQ. Conditional access policies provide access only to authorised users and only to the apps that they specifically need.
Agent or agentless monitoring?
Essentially, when we refer to ‘agentless’ we are describing an operating environment where no service or other process needs to run in the background on the machine. The use of an ‘agent’ typically ends up complicating the overall deployment, and it can also interfere with any VPN service or any other agents in use. At the end of the day, both agent-based and agentless monitoring are able to meet the needs of different users – it ultimately boils down to monitoring requirements. But agentless monitoring offers less complexity and works seamlessly with networks and storage devices.
The demand for accessing your firm’s networks from outside the ‘normal’ perimeters is going up. Your firm’s IT landscape has shifted – it now operates largely outside of the traditional centralised network. Cyber thieves now have a much larger attack surface to play with, so adopting a zero trust approach to your security offers up a truly robust defence.
Steve Whiter, Director
Clare Park Farm, Unit 2 The Courtyard Upper, Farnham GU10 5DT
Tel: +44 0330 660 0277
E: info@appurity.co.uk
Steve Whiter has been in the industry for 30 years and has extensive knowledge of secure mobile solutions. For over 10 years, Steve has worked with the team at Appurity to provide customers with secure mobile solutions and apps that enhance productivity but also meet regulations such as ISO and Cyber Essentials Plus.
Appurity is a UK-based company that offers mobile, cloud, data and cybersecurity solutions and applications to businesses. Its staff draw upon a wealth of in-depth knowledge in industry-leading technologies to aid their clients in developing secure and efficient mobile strategies. Working closely with its technology partners that include Lookout, NetMotion, Google, Apple, Samsung, BlackBerry and MobileIron/Ivanti, Appurity is delivering mobile initiatives to customers across multiple verticals such as legal, financial, retail and public sector.
