49 FEB 2022 | WWW.LAWYER-MONTHLY.COM ZERO TRUST: WHY YOUR FIRM SHOULD CARE Under these circumstances, a zero trust approach to your security really does begin to make sense as you look to lock down your defences. But before you fully commit, what are some of the considerations to take into account before investing in Zero Trust Network Architecture (ZTNA)? Here are the key factors. Ease of deployment An important facet of your initial considerations should be the ease of deployment and scale, i.e. whether any investment will support the firm's needs to allow for appropriate growth and expansion. Any successful implementation relies on simple and straightforward onboarding processes for users. Similarly, stick with technology that is easy to manage and that does not require a particularly specialised skill set. Also bear in mind what deployment model suits your needs best – on premises, SaaS-hosted or perhaps a private cloud? The challenge of legacy apps ‘Legacy apps’ are software programmes that are outdated or obsolete. Such apps are part of the network and could be things like the mainframe or HR systems, which are too commonly left out from the ZTNA. With the proliferation in working from home (WFH), the use of remote desktop protocol (RDP) has gone through the roof, so check with your intended solutions provider exactly how support for RDP will be achieved. Historically, many legacy apps throw up the challenge of being too expensive to rearchitect the systems in which they exist. If, in that case, such legacy apps are ignored in the ZTNA approach, they can become the weakest link. Conditional access We have already touched on the impact that COVID has had on remote working. However, the truth is that this shift was already starting to happen before the pandemic, with firms planning on the cultural and technical changes that needed to be made. Though it remains unclear for provide access only to authorised users and only to the apps that they specifically need. Agent or agentless monitoring? Essentially, when we refer to ‘agentless’ we are describing an operating environment where no service or other process needs to run in the background on the machine. The use of an ‘agent’ typically ends up complicating the overall deployment, and it can also interfere with any VPN service or any other agents in use. At the end of the day, both agent-based and agentless monitoring are able to meet the needs of different users – it ultimately boils down to monitoring requirements. But agentless monitoring offers less complexity and works seamlessly with networks and storage devices. The demand for accessing your firm’s networks from outside the ‘normal’ perimeters is going up. Your firm’s IT landscape has shifted - it now operates largely outside of the traditional centralised network. Cyber thieves now have a much larger attack surface to play with, so adopting a zero trust approach to your security offers up a truly robust defence. most firms precisely how their people will be working moving forward, it is clear that some kind of flexible working arrangements will exist. Whether it is remote, WFH or hybrid, your people will still need secure access to any applications. To make things easier, your firm can protect access to apps by employing a management process known as conditional access. In this way, a single policy per user can provide access to an application, whether that person is working from home or at the firm’s HQ. Conditional access policies Cyber thieves now have a much larger attack surface to play with, so adopting a zero trust approach to your security offers up a truly robust defence.