Zero Trust in ICT environments

In an age of growing cybersecurity threats, the use of Zero Trust principles is becoming more and more popular and the need for their use is increasing. Technological developments have overtaken the traditional view of security and the security policy of many organisations.

A security model

Zero Trust is a security model with a set of design principles that helps prevent attacks and data breaches. It is a concept that is based on the recognition that traditional security models operate on outdated assumptions that everything inside an organisation’s network can be trusted.

Rooted in the principle of never trust, always verify, Zero Trust is designed to protect modern digital environments.

Rooted in the principle of never trust, always verify, Zero Trust is designed to protect modern digital environments.

Jaap Meijer, Cyber Security & Privacy Officer, Huawei WEU Multi Country Cyber Security & Privacy Dept.

It uses a fine-grained network segmentation and provides threat prevention at the edges of these segments. In addition, Zero Trust simplifies the complex conditional user access control.

An architecture is Zero Trust if it adheres to the following set of design principles:

- Identify Critical parts in the IT infrastructure and secure all paths to them.

- Only provide access to information over secure connections, regardless of location.

- Maintain strict access control on a need-to-know basis.

- Determine the access rights based on the level of trust derived from various properties of the access request: account, device, IP address and location.

- Provide for comprehensive monitoring, automation and logging.

Objectives? External attacks prevention

Organisations that embrace Zero Trust are less susceptible to external attacks and threats from within. It is advised organisations draw up an action plan to ensure that they can apply Zero Trust in future investments. This should clarify what measures need to be taken to implement Zero Trust effectively.

More and more organisations are choosing to use Zero Trust principles when securing their IT infrastructure. They are looking for a security model that can effectively adapt to the complex modern environments. In this environment, devices and data must be protected regardless of where they are located or the type of device used within organisations.

Zero Trust offers organisations the opportunity to limit their risks in this new situation. Using the measures taken at Zero Trust, you can remedy shortcomings in the traditional security model. As an example, this makes horizontal movement – moving between systems in search of data to infiltrate – more difficult within the network.

A level-playing field for the industry

Huawei Technologies is a strong advocate of the Zero Trust model as this provides the foundation of a level playing field for all involved parties. Within Huawei we have also adopted the Zero Trust Model whereby we Assume nothing, Trust nobody and Check everything.

Huawei Technologies is a strong advocate of the Zero Trust model as this provides the foundation of a level playing field for all involved parties.

Jaap Meijer, Cyber Security & Privacy Officer, Huawei WEU Multi Country Cyber Security & Privacy Dept.

Today, there are many discussions in the industry if certain suppliers should be trusted if this supplier is suspected to have close ties with, or is under the influence of a state, entity, or person. To overcome these concerns more controls are needed to mitigate such risks.

Therefore it should be considered to extend this Zero Trust principle also to the supply chain with Supplier Trust declarations and product verification and certifications that should be complied with by all suppliers that are supplying parts or services to the critical infrastructure.

Elements of such trust worthiness declarations could be commitments of non-interference of 3rd parties, Data remains in country/EU, Supply chain transparency, No backdoor commitments, Responsible vulnerability disclosure, Penalties in case of non-compliance, etc. Through such declarations we could truly develop a level playing field applicable to all suppliers.

The importance of verification and certification

A further step in the Zero Trust model would be the verification/certification of products whereby both the product life cycle development is being scrutinised and the products are subjected to audits by independent accredited parties to the technical standards for such products.

A good example of such approach is the 5G security knowledge base as published by GSMA whereby focus is applied on mitigation of identified threats and implementing elements of the Zero Trust approach by acknowledging that security is a shared responsibility. Another good example of network verification/certification can be found in the Network Equipment Assurance Scheme (NESAS) and Security Assurance Scheme (SCAS).

NESAS/SACS is a standardised cybersecurity assessment mechanism specifically designed for the mobile industry. It was jointly defined by GSMA and 3GPP, the telecom industry’s leading standards-setting organisations. It delivers threat analysis, definitions for critical assets, security assurance methodology, and general security assurance requirements.

If the Zero Trust approach were structurally implemented on new investments in ICT and combined with trustworthiness declarations, 5G Security Knowledge Base and NESAS/SCAS verification, security could be lifted to a higher level in which also supplier risk could be managed efficiently regardless of origin of products.