Zero Trust Networks: Building Secure Systems in Untrusted Networks by Razi Rais.
Razi holds a BS In Computer Science from Karachi University and Masters in Computer Science from Shaheed Zulfikar Ali Bhutto Institute of Science and Technology. Today Razi is a Microsoft Senior Product Manager for Microsoft Security + AI.
Zero Trust is yet another confusing and misleading security phrase which confuses almost everyone including IT teams. Yet, it is a very critical network security strategy. Today this is needed more than ever before. This strategy assumes no one or device is trustworthy by default. This requires all users authenticating with their devices before accessing, networks, applications and data.
The core concept is to simply: assume breach. As odd as this will sound at first, continuously monitoring and logging of user and device activity will detect threats. By inspecting network traffic, the verification of each request will be based on an any organization’s access policy. This greatly reduces risk of insider threats, data protection. In addition to the unknowingly misuse of employee’s personal home computers lacking security standards set by their organization. Even in 2024, employee’s home computers still lack anti-virus, malware, or identity theft protection.
We live in a world demanding Zero Trust
The book includes case studies of several zero trust implementations and examines architectures, standards, and frameworks. This includes The National Institute of Standards and Technology (NIST), US Department of Homeland Security’s Cybersecurity Infrastructure Security Agency (CISA), and The US Department of Defense (DoD). All are solid, well defined strategies to embrace.
Consider the pandemic and the rush to keep employees connected remotely. This resulted in an enormous increase in risk. Most organizations in fact, were still running on a traditional perimeter defense. The idea that all computers within an organization are onsite and physically connected via ethernet to the organization’s network. The explosion of remote work was just beginning and almost every organization was caught offguard. This is further documented in Eric Cole’s Cyber Crisis:
Razi reveals this strategy permits IT and network teams to focus on building strong authentication and authorization while providing limited access for more efficient agility.
Understand that Zero Trust has become a critical risk mitigation strategy. One only needs to read about the latest (and always seemingly ongoing) company to be hacked by an employee connecting with their home laptop that never should have been permitted access. You do not have to look far. This is exactly what advisories and cyber criminals are counting on. An expansion from Razi’s ‘Humans in the Loop’ should be focusing on organizational culture and behavioral science. Any organization’s policies will never be enough when employees know (and do) side step security measures and bring their own devices from home to connect to their organization’s network.
In conclusion, Razi is provide a needed resource for IT teams. Perhaps the biggest challenge is deploying Zero Trust within your existing infrastructure. Zero Trust is not a software application, this is a critical network security strategy.