Zero Trust and Law Firms

Zero Trust seems to be the latest in the long line of IT buzzwords. But what does it mean? Is it something Law Firms need to be concerned about? And, if so, how can you introduce it successfully? This blog explains it all.

The benefits of a Zero Trust approach

Breaking with blog tradition let’s start with the benefits. Zero Trust  provides high cyber security with lower IT infrastructure costs and a vastly simplified and improved user experience.

With every move to the cloud, Zero Trust becomes more important. Furthermore, the work-from-home arrangements, greatly increased during the pandemic, also make a move to Zero Trust approach more pressing. Zero Trust has the ability to significantly reduce your IT operating expenses, points of hardware and software failure and if done right can eliminate malware and ransomware.

Zero Trust has attracted a lot of headlines lately, but it’s not a new concept. 

The term was originally coined by John Kindervag, a Forrester research analyst in 2010. Kindervag said the security concept should be based on “never trust, always verify”.

This thinking represented a change in the way we approach cyber security.

Why we need a change in security approach

In traditional on-premises architectures, corporate networks were protected by expensive firewalls protecting their perimeter. External access was provided by secure VPN links. Once users, appliances, devices or applications were on the corporate network they were implicitly trusted.

Today, the traditional model of putting the majority of cyber security effort and expenditure into protecting the perimeter of a corporate network isn’t sufficient.

Cloud computing, as-a-service solutions, the Internet of Things and mobile and remote working mean the perimeter of the corporate network no longer exists in the same clearly definable way.  Does your network include your Microsoft 365 tenancy in an Azure datacentre? Does it stretch to Janet from accounts logging in from home on Monday morning? Or your cloud data lake? How about mobile devices? Or your printer’s connectivity to HP to request new ink cartridges?

With multiple routes in and out and with data and applications stored offsite and in the cloud, your corporate firewall just doesn’t cut it any more. Additional security measures need to be put in place. This is where the Zero Trust concept comes in.

Zero Trust means no longer implicitly trusting a user or device simply because it happens to have gained access to your corporate network. It means changing the implicit trust model to one where trust is only granted when and where needed when identity is confirmed and then only for as short a time as possible.

This is important because, if a malicious actor does make it on to your corporate network, they are no longer able to travel freely around it – and the potential damage they could do is greatly reduced.

How does Zero Trust work?

Gartner analyst Neil MacDonald has said that “Zero Trust is a way of thinking, not a specific technology or architecture.”

In other words, like so much in today’s computing, it’s not about investing in hardware. Rather, to successfully switch to a Zero Trust model, you need to change the way you think about security.

In practice, this means:

  • Rather than the default approach being “allow access” the default position should be “deny access”.
  • Implicit trust should be removed from all computing infrastructure – for both users and devices.  
  • Identity should be used as the foundation for new “perimeters”.
  • Trust levels should be continuously calculated and adapted per identity to allow just-in-time, just-enough access to computing resources.
  • Appropriate access should be determined based on context, e.g. date, time, geolocation, historical access and usage patterns, device security posture.

Consequently, identity management, access controls, monitoring and automation become more important components of your cyber security activities.

 

How to successfully introduce a Zero Trust approach to security

It might be tempting to focus on end-user access rights when thinking about Zero Trust, but this is only one – albeit important – part of the puzzle.

As Government Computer News points out, “Equally important are understanding and verifying system, service and function identities, including applications, workloads and devices that can gain access to applications and data… Agencies must have a way to discover and validate identities in use across the environment to validate the identity system of records and build appropriate zero-trust access policies.”

Real-time visibility of access, dependencies and relationships is vital to support the granular approach that Zero Trust requires. As a result, says GCN, “machine learning and real-time risk analysis and threat protection will become a necessity. So will the use of automation … to enforce security policies and detect anomalies, violations and incidents.”

For many organisations, this is a step change in the way they monitor and patrol their network. Seeking expert help is, therefore, required.

Cloudify offers advice on implementing a Zero Trust approach as part of your overall IT or cloud first strategy and, importantly, as part of your Actionstep practice management system implementation.

Law firms are choosing Actionstep as an all-in-one practice management platform that helps to increase competitiveness, deliver better client service, reduce expenditure and increase interoperability, scalability and availability.

When you implement Actionstep with Cloudify Legal, we’ll ensure that you also use the platform implementation to advance your cyber security posture by taking a Zero Trust approach. This means that giving your team the flexibility, mobility and agility they need will not come at the price of compromising your cyber security posture. Rather, we’ll help you strengthen it, and reduce your operational costs.

If you have questions about Zero Trust – or other cyber security issues – our team is always happy to answer your questions. Please get in touch: +44 1865 521 039 or email us at info@cloudify.legal