When it comes to law firm cybersecurity, “trust, but verify” is a good approach.
But a “zero trust” mindset is even better.
The term “zero trust” – also called zero trust architecture, zero trust network access, or perimeter less security – has been bouncing around the IT world since the 1990s. But only recently has it entered the mainstream.
“Trust but verify” is like locking the front door to your law office. Nobody gets in until they are verified, but once they’re in, they can wander around the entire office – the lobby, computer room, break room, wherever. Under a “zero trust” philosophy, nobody gets in until verified. But once in, they are further restricted as to what rooms they can enter and what they can do once inside.
In practice, this is done by giving employees access only to the specific tools, equipment and data needed to do their job – not a general “hall pass” to wander throughout the building.
“Zero trust is the cybersecurity equivalent of the slam, lock and nail approach,” says this article in Forbes. “Zero trust assumes every user, device and service that attempts to connect to a network is hostile until proven otherwise. The fundamental principle of zero trust is to secure an organization’s data wherever it might live, while allowing only legitimate users and entities access to relevant resources and assets.”
A zero trust approach is especially important when a law firm stores data in multiple places (ie, on-site, in the cloud, off premises, at various branch offices, etc.).
“[It] is a whitelist method for granting access, based on a device, user credentials and behavior,” according to Forbes. “Security personnel need to apply authentication permissions, including multi-factor authentication at the device- and user-level for each session, ensuring continuous and adaptive authorization.”
Zero trust starts with an assumption that every connection and endpoint is a threat and operates on the principle of least privilege (PoLP).
“Essentially, a user or program should have the minimum privileges (or, to follow the metaphor, house keys) necessary to perform their job,” says business writer Emily Heaslip for the US Chamber of Commerce. “For instance, only an employee whose job it is to transfer payment to your vendors should have access to the vendor’s bank account details.”
5 Core Principles of Zero Trust
Following is from the Forbes article:
1. Assume the network is always hostile.
2. Accept that external and internal threats are always on the network.
3. Know that the location of a corporate network or cloud provider locality is not enough to decide to trust a network.
4. Authenticate and authorize every device, user and network flow.
5. Implement policies that are dynamic and calculated from as many data sources as possible.
Read “5 Core Principles of Zero Trust” in Forbes.
Steps to Implement Zero Trust
· Advanced detection Automation and orchestration Enrichment
· Expansion Normalization Collection
Sources: 5 Core Principles Of The Zero Trust Model Of Cybersecurity (forbes.com) US Chamber of Commerce newsletter CO
CLICK HERE TO GET A CYBER QUOTE