Zero Trust Security: What BC Practitioners Need to Know
Zero Trust is the emerging approach to network security that requires verification of all traffic, external and internal. Here’s what business continuity professionals need to know about the rigorous new security framework that is designed to protect organizations from hackers and their bots.
Related on MHA Consulting: Get Cyber Smart: How to Make Sure Recovery Plans Align with Information Security Needs
Defining Zero Trust
A promising defense against today’s serious information security challenges has emerged in the form of the Zero Trust security framework, an approach that treats all access requests the same, whether they are coming from inside or outside the company network.
In this case, treating all access requests the same means it mistrusts everyone equally.
A detailed discussion of Zero Trust is outside scope of the blog, but here’s an introduction pitched to the needs of BC practitioners.
Traditional network security is perimeter-based. Users inside the perimeter are trusted by the system and relatively free to come and go. Over the past several years, hackers have shown this approach to be highly vulnerable, and as a result the Zero Trust framework was developed.
Zero Trust is a technical solution to the need to validate users seeking access to network resources. It vets every user for every request every time, regardless of whether they are coming from inside or outside the company network.
It’s a passwordless solution that validates would-be users through several layers of technology to make sure they are who they say they are.
Once it’s in place, Zero Trust is highly secure and very convenient.
However, because setting it up involves rebuilding much of the organization’s network security architecture, implementing it is a serious burden and a major project, one that typically takes multiple years. For these reasons, we’re unlikely to see a mass migration toward Zero Trust anytime soon.
What BC Professionals Need to Know
What do you as a business continuity professional need to know about Zero Trust?
First, you should know what it is. If you’ve read this far, you can check that off your list.
Second, you should keep your ears pricked up for any discussion about implementing Zero Trust at your organization. You don’t have to worry about being taken by surprise; it’s not just going to show up one day. If it does happen, it will be a major strategic project and take a long time to implement.
Third, if your organization were to switch to Zero Trust, your part in the process would be a familiar one: making sure the organization’s recovery plans and strategies are in alignment with IT. The new aspect would be that now being “in alignment with IT” would mean being compatible with your organization’s shiny new Zero Trust security framework.
Ensuring Access for Backup Devices and Personnel
Let’s get more specific about the challenges a BC office is likely to encounter in bringing recovery plans and strategies into alignment with a Zero Trust network.
The challenges are likely to fall into two areas: devices and people.
As mentioned, Zero Trust environments mistrust everything and everyone.
So what happens when, during an outage, employees start attempting to use backup devices, such as their home computers, to access the network? If the proper arrangements haven’t been made ahead of time, nothing at all will happen—the devices won’t be allowed to connect. BC needs to work with IT in advance to make sure the system recognizes and will admit any alternate devices whose use is envisioned in the recovery plan.
The need is similar with regard to people. It is common for recovery plans and strategies to identify substitutes to perform various roles during an event. A Zero Trust system will deny access to any substitute who is not specifically cleared at the level of the security architecture (this is more complicated than simply changing the active directory profile). Just as with equipment, BC and IT need to work together in advance to make sure all alternate workers whose participation is anticipated by the recovery plan will have system access during an outage.
Keeping Informed, Staying Alert
Zero Trust security, by treating all access requests with suspicion, can greatly strengthen an organization’s protection against cyber threats. However, implementing it demands a significant overhaul of network security architecture, and at least in the near future its adoption is liable to limited.
For the time being, BC practitioners’ in this area are likely to be limited to familiarizing themselves with Zero Trust and staying alert for organizational discussions about it. If their organizations do move toward a Zero Trust model, they will need to collaborate with IT to ensure their organizations’ recovery plans and strategies, particularly with regard to devices and personnel, are fully compatible with the new security framework.
Further Reading
- Getting in Sync: Eliminating Recovery Strategy Gaps between BC and IT
- Be a Hard Target: Train Your Employees in Security Awareness
- Get Cyber Smart: How to Make Sure Recovery Plans Align with Information Security Needs
- Learning to Talk to Your IT/DR Colleagues
- Fire and Rain: Adapting to an Era of Global Instability
Richard Long
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.
