During the Cold War, the U.S.’s mantra was “trust, but verify.” In the fight against cyberattackers, the new mantra is “never trust, always verify.”
Nonprofit organizations once protected their IT environments by creating a perimeter around their networks. Everyone inside the network was a trusted user, while everyone outside the network was not. The only problem, notes The Nonprofit Times, was that hackers would have access to everything — up to and including a nonprofit’s most sensitive data — if they managed to breach the network.
Over time, the concept of creating a perimeter around the network has broken down. For one thing, many nonprofits are using cloud computing to house much of their sensitive data outside of the organization. Also, increasing mobility means users are often accessing resources from home or while traveling, further dissolving the perimeter. As a result, the location of users can no longer automatically render them trustworthy. Instead, organizations must create a perimeter around each individual user.
What ‘Zero Trust’ Means
Zero trust is a new security strategy that sprung up in response to the idea that organizations can no longer rely on the network perimeter to assess trust. In a zero-trust model, notes identity management solution vendor Okta on its website, “people are the new perimeter.”
In a white paper on the topic, Forrester describes zero trust as “an architectural model for how security teams should redesign networks into secure microperimeters, increase data security through obfuscation techniques, limit the risks associated with excessive user privileges, and dramatically improve security detection and response through analytics and automation.”
To ensure all resources are accessed in a secure manner, Forrester advises organizations to treat all traffic and users the same — even if the person requesting access is the nonprofit’s executive director, sitting at his or her desk. Organizations taking a zero-trust approach should adopt a “least privilege” strategy, Forrester notes, providing employees the minimal level of access needed to do their jobs. They should also inspect and log all traffic for suspicious activity.
Forrester goes so far as to say traditional approaches to cybersecurity “can’t mitigate the consequences of a breach,” and calls zero trust “the only approach to security that works.”
How to Put Zero Trust into Practice
Forrester advises organizations follow these five steps when implementing a zero-trust strategy:
- Identify sensitive data and segment the network. Data should be lumped into three overarching categories: “public” (where loss won’t cause harm), “toxic” (where loss is undesirable but harm will be minimal) and “radioactive” (where loss results in compliance violations or other substantial harm to donors, employees or clients).
- Map the flow of sensitive data. Engage a team to locate and map all dependent network and computer objects, leveraging data flow and network diagrams from compliance initiatives where possible.
- Architect a zero-trust security network. Create microperimeters around sensitive data and enforce them with next-generation firewalls or other approaches.
- Create policies to enforce access controls and segmentation. Organizations should adopt an identity management and governance platform that provides user account provisioning, role management, access request management and access certification. Security teams should also configure, audit and optimize rule sets in network access controls and other network-based solutions.
- Continuously monitor the network. Security teams should carefully examine network traffic to identify signs of malicious behavior.
To earn the ongoing trust of donors, clients and employees, nonprofit organizations must keep their data secure. And to keep data secure, organizations may need to apply a zero-trust strategy to network security.