The Ministry of Justice (MoJ) has highlighted an intent to develop a zero trust architecture in its approach to cyber security.
Nava Ramanan, its deputy director cyber security, said that zero trust – defined as a technique in which user identity is revalidated at each stage of a digital interaction – is related to its ‘internet first’ strategy and increased use of hybrid working.
This requires a move away from a security focus on the network perimeter to a more dynamic approach in which continued access is granted based on analysis of user behaviour, network traffic, live security events and revalidation of the user.
He said the approach is needed across the MoJ estate to ensure it has control over who has access to its systems from different locations and through different devices and access methods. It involves the same security checks being applied irrespective of how users are accessing systems.
“Zero trust means we’re taking a holistic approach and implementing the same policies and controls across users, applications, and infrastructure to reduce risk and complexity while achieving organisational resilience,” Ramanan said in a blogpost. “It’s not just the network, interactions also consist of identity, access, device/endpoints, and transactions.”
Gradual change
He said the MoJ will not be able to move immediately in full to zero trust as the nature of some legacy systems require that they continue to use network based trust. But as it moves away from these it will place the focus on zero trust.
He also highlighted the importance of the zero trust principles outlined by the National Cyber Security Centre in 2019.
“Taking a zero trust approach provides the foundations for a secure digital environment, allowing the realisation of the principles of GovAssure and the Cyber Assessment Framework (CAF),” Ranaman said “All organisations have an ongoing cyber journey, and our mission is to provide simpler, faster, and better services to all our users.”
