(Hong Kong, 9 June 2022) For a long time, as commonly perceived, stable and secure relationship between people and nations is built on the important cornerstone of “trust”. However, in recent years, those in the cyber security sector have suggested the contrary that only “Zero Trust” can ensure everyone’s security. The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) of the Hong Kong Productivity Council recently published a security blog to introduce the “Zero Trust” architecture, from its concept, benefits, design to implementation. The main points of the article are as follows:
The overriding principle of “Zero Trust” is simply “Never Trust, Always Verify”. It rejects the notion that the traditional corporate network protected by the firewall is secure and stresses the need for the internal network to be verified and authorised.
The U.S. National Institute of Standards and Technology (NIST) has formulated the standard for “Zero Trust” architecture (NIST SP 800-207), and issued it in 2020. There are seven criteria for it:
1. All data sources and computing services are considered as “resources”;
2. All communications must be secured regardless of the network location;
3. Access to individual enterprise resources is granted on a per-session basis;
4. Access to resources is determined by dynamic policy
5. The enterprise must ensure and continuously monitor that all owned and associated assets are maintained in the most secure state
6. All resource authentication and authorisation are dynamic and strictly enforced before access is allowed
7. The enterprise collects as much information as possible about the current state of network infrastructure and communications and uses it to improve its security posture
With micro-segmentation, system administrators can create policies that limit network traffic between workloads based on a “Zero Trust” approach. Principle of least privilege can be used in the micro-segmentation design. For example, employees from department “A” will be limited to access the systems of their own department while those from department “B” cannot access the systems of department “A”. Each subnet must be protected by a firewall.
Corporates can refer to NIST’s standards for implementing Zero Trust in 3 phases:
1. Turn network to micro segmentation design
2. Implement Zero Trust approach to employees who need to access internal systems from outside corporate network
3. Implement Zero Trust approach to internal network
· Corporates need to develop different security policies according to the needs of own businesses. When considering the use of any technologies or tools, they must assess the corresponding risks and impacts clearly. Even if a Zero Trust approach is in place, it is necessary to regularly review and test for reducing the risk and impact of cyber attacks and data breaches.
For more details, please visit: