Managing Insider Threats with Zero Trust Model

An insider refers to employees and others who have been granted system access to perform certain tasks. The definition of insider expands to non-employees such as consultants, customers, vendors and third parties who equally have an established identity within the organization and access to various systems.

10 Steps to Build an
Insider Threat Management Program with a Zero Trust Model

What is Insider Threat?

Insiders have certain access to systems to perform tasks related to their job duties. The combination of all the information they possess can ultimately pose insider threats to organizations and inflict damage upon the organization whether the insider action is intentional or malicious, or is caused by an error, accident and negligence which can also lead to the compromise of their access credentials through various hacking methods. Insider threats include identity theft and fraud, theft of intellectual property, as well as reduced data integrity and system availability.

One way organizations can mitigate insider threats is through the Zero Trust model which stresses the importance of not blindly trusting anyone who makes an attempt to access a system or initiate a transaction even those individuals who have already been granted access privileges.

Brief History of Zero Trust

The concept of a zero trust policy was first introduced in 2010 by an expert in Forrester Research. The concept took some time to be accepted across industries and Google was among the first ones to announce that they had adopted a zero trust policy. After Google adopted it, the concept as an acceptable IT security model took off and was adopted by many organizations.

How Does It Work?

A zero-trust architecture is a threat management model that does not assume people and systems operating within the network are entitled to all their privileges without repeated verification.

In a traditional castle-and-moat setup of an IT infrastructure, the model makes it hard for anyone outside of the organization to get access to the private resources, however, ignores the security risks posed by insiders. In fact, there are countless number of cases of employees who either wittingly or unwittingly caused a confidential data leak that led to millions of dollars in damages.

Verification Required for Everyone

A zero trust policy requires verification of everyone whether they’re an employee or someone from the outside. Everyone needs to be verified before accessing private resources. No one is trusted by default with the zero trust model whether inside or outside the network. Many cybersecurity experts believe that this simple extra layer of security can prevent data breaches.

Consequences of a Data Breach

A study by IBM revealed that a single data breach can cost a company over $3 million. The loss of personal customer data in a data breach case can have many consequences including damage to business reputation. Many affected customers will choose to do business elsewhere, which means lower revenue. Because of the harrowing insider threat statistics and consequences raised by industry experts and research reports, many organizations have chosen to rightfully adopt a zero trust policy to counter insider threats.

How Should an Organization Adopt a Zero Trust Policy

It is recommended to adopt and slowly implement a zero-trust policy to minimize risks. First, you should analyze the risks that your organization faces. You define the scope, create a zero trust implementation plan, and consider your resources, priorities and timelines. You can decide to use internal resources or hire experts to help you with your project.

Next, you implement an authentication protocol to secure your systems and most sensitive assets by controlling identities and their access. You want to protect all your assets using multi-factor authentication and layered access authorization model so that no one has unrestricted access to all systems and data once they are inside. This protects your organization from total ruin because of one unscrupulous employee.

Basically, you will deploy approval and authentication processes before you allow anyone onto the network or make transactions. This protects you from expensive data breaches that could bring down your company. One major danger of insider threats is that hackers could gain access to a privileged account to execute their schemes. This is why it is absolutely necessary to manage privileged accounts carefully.

Monitoring with Zero Trust Model

Once you have determined the scope, selected technology, and implemented processes to enforce a zero trust framework, you need to establish a monitoring process to look for malicious activity on the network. Once a suspicious activity is detected, it must be flagged and resolved. Monitoring insider privileged access which may have also been compromised by outsiders can pay off if the process is performed diligently.

Finally, you will implement a granular attribute-based access control model. ABAC is an access control model which is considered the next generation model in access management evolving from the role-based access control model. ABAC is based on establishing a set of attributes such as:

  • subject or user characteristics such as department, position, and IP address,
  • object or system and data characteristics such as sensitivity level, and
  • environmental characteristics such as time of day and location.

The main idea is to define which combination of characteristics or attributes will be used to control access from a central policy standpoint. The attributes may be different for each system.

In general, the key to having an effective zero trust policy is to scrutinize all activities in order to identify and block as many unauthorized activities, specially high risk transactions initiated by privileged accounts holders.

Continuous Verification Across Each Device

The zero trust framework in practical terms uses five key areas to build upon which are:

  • User trust
  • Device trust
  • Transport/session trust
  • Data trust
  • Application trust

For a zero trust program to be effective, implement verification across all five pillars to improve your security through a step by step process which includes scoping, technology, and processes. The project can start small and grow as you continue to assess your risks. To be successful, you will want to implement it in such a way that it provides the maximum level of security while having a minimal impact on the operations. You can lower the risk of a data breach and unauthorized access or transaction through insider security threats handling and management.

10 Steps to Build a Zero Trust Program

Consider the following steps for creating and implementing a zero trust security program:

  1. Complete a risk assessment
  2. Define your scope – systems, data, people, devices
  3. Create a business plan and promote the idea to the organization
  4. Establish your budget and resources
  5. Develop a zero trust implementation plan
  6. Define trust criteria and boundaries
  7. Deploy multi-step and multi-factor authentication technology
  8. Pay attention to privileged accounts on key applications, databases and devices
  9. Implement an appropriate access control model such as attribute-based model
  10. Monitor access and activities across your systems based on your trust criteria


A zero trust model scrutinized every person or device requesting access to systems and resources whether the requestor is an insider or outsider. Ultimately, the goal behind zero trust is to address the weakest link in security, which is the people (and devices) who are trusted entities and have access. While insiders provide an invaluable service, their established access can pose a great security risk to the organization which must be continuously verified, validated, and approved to protect your company and most valuable assets from potential insider threats.

Identity and access management certifications