What is zero trust security and why it’s essential for professional services firms

Bilal Mujahid
Head of Information Security, iManage
Bilal is responsible for all aspects of information security, including the Zero Trust security architecture.
27 August 2019

Data security breaches have become far too prevalent and sophisticated for even the biggest players to successfully manage.

You’ve probably heard recent news about the ones at CapitalOne and Facebook (I’ve lost count on the breaches there). But did you know that a major title insurer also left nearly a billion sensitive documents exposed to the internet?

These players are much larger than most professional services firms. So, it’s likely that they already had these types of standard security provisions in place that many professional services firms also have deployed:

  • Firewalls
  • VPNs
  • Two-factor authentication
  • Encryption
  • SIEM/logging solutions
  • Intrusion Detection/Prevention
  • Phishing defenses

Clearly, these are no longer enough to prevent such major attacks—and the resulting fallout and fines that come with security breaches.

As data loss is now an existential threat for all types and sizes of organizations, it’s time for a new way to address security challenges. There needs to be a new framework that is comprehensive, pervasive, and inobtrusive that helps even smaller, non-technical companies–including professional services firms–stay ahead of fast-evolving security needs.

Enter Zero Trust.

What is Zero Trust?

Originally coined Forrester Research in 2011 and extensively written about by many other researchers, Zero Trust is a blueprint for a new type of security architecture for organizations that’s based on a few fundamental principles. Two of these include:

  • The network is always assumed to be hostile.
  • External and internal threats exist on the network at all times.

In short, this means that organizations—including professional services firms—should no longer accept claims that their network – even their internal network behind layers of firewalls – is more secure than a system facing the internet. Zero Trust challenges firms to assume no level of implicit trust for their network—even with their system administrators.

Zero Trust is beneficial for firms that use systems both in the cloud and on-premises. It allows for new development and operational investments to secure a cloud environment, while also requiring more secure coding practice and constant knowledge sharing in an on-premises environment.

As a result of implementing Zero Trust, no one person would be able to execute a change to a system that can affect its security.

How Zero Trust is implemented

The Zero Trust model encompasses several requirements that break down network vulnerabilities in various areas.

First, it demands that there be no default paths between servers and a production network or hosts and other hosts, or even between various database servers, as well as requires that the network doesn’t have a direct path to the internet. Instead, it requires that all connectivity be explicitly authorized.

It also mandates that all systems are encrypted and calls for an additional layer of encryption that requires the automated management and protection of encryption keys. Cloud system vendors (or their architecture partners) keep the master key for their customers.

Zero Trust also requires that systems be built via automation, staged, and tested in a manner requiring no human access to any of the underlying infrastructure. Further, it calls for a rigorous vulnerability analysis of infrastructure, code, and libraries.

Using a Zero Trust partner

Implementing a Zero Trust architecture is extremely difficult. Only a few companies, for example Google, have been successful at retrofitting their network environments to comply with all the Zero Trust requirements. A few other large players, including an agency for the U.S. Department of Defense, are just now starting to look at implementing Zero Trust.

Given how hard it is to retrofit an existing environment to Zero Trust, a security-conscious customer can derive the benefits of this modern framework by transitioning to cloud applications that already have adopted the Zero Trust framework.

And iManage Security Policy Manager extends this compliance by enabling firms to execute such new security policies. Further, iManage Threat Manager detects suspicious activity whether your firm is on, transitioning to, or just looking at implementing Zero Trust.

To learn more about how iManage supports Zero Trust, and about the architecture itself, watch our technical webinar, “How Zero Trust Delivers Better Security.”

Discover Zero Trust

Zero Trust is a modern security framework built for today's work environment and the threats it poses. Whether your users are working on premises or off, on local networks or remote, Zero Trust and Zero Touch can protect your valuable data. This white paper describes the concept of Zero Trust and how it is implemented across the iManage platform.