Understanding the concept of ‘Zero Trust’

Penetration Testing Experts


In many cybersecurity discussions these days, you hear the term ‘zero trust.’ People are proclaiming it as the new, best way to keep an organisation safe from the wave of cybercrime which has broken over Britain’s shores in the last year.


It’s important to understand what it really is, what the benefits and shortfalls are of zero trust, and why it might not be the solution for everyone.


The NCSC wrote an article recently that provided a good explainer. “Zero trust is the idea of removing inherent trust from the network,” it noted. “Just because a device is within the internal “trusted” side of a firewall or VPN, it should not be trusted by default.”


The idea is that instead of simply trusting a device because it falls within your safe perimeter, zero trust lets you build confidence in the transactions which are taking place. “You can do this by developing a context through the inspection of a number of signals. These signals are pieces of information like device health or location, and can give the confidence needed to grant access to a resource.”


Many companies have relied on a ‘walled garden’ concept for security up to this point. But at a time when the pandemic has driven many employees to work from home and use multiple devices to communicate, the walled garden approach needs another layer.


‘Zero trust builds on the concept of a walled garden by always verifying access requests to services and using a number of signals to build context.’




It’s very important to take other considerations into account before opting for the zero trust approach, for example ‘other security properties the VPN provides that you may not have access to without it, such as enabling legacy systems to work remotely.’


The NSCS wants British businesses to be aware that ‘If you haven’t properly considered the pros and cons, you may be buying yourself trouble down the line – the benefits don’t always warrant the additional work.’


Of course there is a cost implication to reconfigure your security settings, and there is a risk of disruption to your services too, although that should be minimal if your security provider knows what they are doing.


The other thing to know is that your older, legacy platforms might not work within a zero trust environment. Some legacy systemd don’t support the latest authentication methods and removing a security layer that does work for them to apply zero trust doesn’t make any sense.


So those are a few considerations to be aware of.


Besides that, there are a number of clear benefits to zero trust. For example, it makes life much more difficult for a hacker when every action that a user or device takes requires a policy decision, instead of just a blanket pass from inside the walled garden. It’s also much more relevant to the ways we work today which are generally mobile-first, remote and cloud-based operations.


Deeper security allows for greater collaboration and a shared sense of trust between two parties. In the words of the NSCS, ‘Greater control over data access means you can grant access to specific data with the knowledge that only the intended audience will be able to view the exact documents you have shared with them.’


Zero trust seems to be gaining ground in the UK, and that’s fine but you do need to know exactly what it is and if it’s suitable for the structure of your business.

Get in touch with 2|SEC today for an honest assessment of your security setup and to find out whether zero trust is right for you.

Scroll to Top