Like most people, we lock up our house when we leave. However…
Members of my immediate family, as well as my sister and a trusted neighbor, have a key to the front door, effectively giving them 7/24 access to the entire house.
For others — deliveries, cleaning people, etc. — we only provide the garage door combination.
This distinction is important.
Close friends and family have complete access whenever they want. Others have either limited access (garage only for deliveries) or access to the entire house on a scheduled basis (house cleaning).
Zero Trust and Your Organization
The concept of locking a house is based on a simple principle: assume that everyone is a bad actor. Most people aren’t, of course, but by locking all the doors, we reduce the overall risk and can (literally) sleep better at night.
Further, and even among those who we want to let in, we differentiate by offering different levels of access to different people, based on who they are and why they are there.
In the world of cybersecurity, this mindset is known as “Zero Trust Framework.” Simply put, the idea is to start by “locking all the doors” — providing zero permissions to all employees. From there, and based on an analysis of job requirements, permissions are granted as needed.
For example, with Microsoft 365, all employees are given access to their own information. One level up, however, we may grant “help desk user” access to an individual whose job requires it, allowing them to do certain things that can impact a range of users.
Access to What You Need and No More
As a recent Wall Street Journal article (paywall) emphasized, the weakest link in security is people.
By using a Zero Trust approach and drawing a tight boundary around each individual’s ability to affect various parts of the organization, you can limit the damage that might occur should that individual be compromised. Bad actors who gain access to an employee’s account can only see and touch what that employee can see and touch.
Beyond security, there is an additional benefit to Zero Trust: reduced errors. By only allowing employees access to things that are needed for them to perform their individual jobs, we reduce the likelihood that they might, inadvertently, negatively impact a system or process.
For example, consider an organization’s CRM. Broad access may be granted to marketing staff who need to update company contacts and phone numbers on a daily basis, while the ability to add or delete entire companies from the database is only given to a select few.
Find the Right Balance
The Zero Trust Framework is not a new idea. However, it has increased in importance as the bad guys have grown in number and sophistication and, thanks in no small part to Covid, there are more home computers and remote workers in the mix than ever before.
That said, you are in business to do business, and if the security measures in place become too onerous, you will hamper your employees’ ability to remain productive. So you need to consider the tradeoffs and strike a balance between access and safety.
Start from zero, grant permissions carefully and on an as needed basis, and keep in mind that the more “housekeys” you hand out, the more opportunity you provide for strangers to enter, walk around, and do damage.