6. Focus your monitoring on users, devices and services

Given that devices and services are more exposed to network attacks than in traditional architectures, it’s important that comprehensive and continuous monitoring is carried out.

You should know what actions that devices, users and services are performing and what data they are accessing. Your monitoring should link back to the policies that you set, verifying they are being enforced as you expect. Zero trust architecture should be able to adjust the policy dynamically according to the confidence level evaluated based on the signals from the user and the device.

No choke points

User devices within a traditional walled garden network architecture should use a VPN to send all traffic through a controlled path. This enables traffic to be inspected. In a zero trust architecture, this choke point isn’t available and protective monitoring has to be moved onto each device.

It’s important that you are confident in the device health as a compromised, ‘unhealthy’ device cannot be trusted to provide reliable monitoring, as logs could have been tampered with.

Endpoint security suite provides features to detect threats, predict and prevent attacks from impersonating the user, compromising the device and exfiltrating your confidential information.

Network monitoring

Although the network is untrusted and assumed hostile, network monitoring is still important to ensure good performance and cyber hygiene. Monitoring should be carried out on your networks to measure performance, identify all devices attached to your network, detect rogue devices, and malicious activity, especially if you’re hosting on-premise services.

Coupled with device monitoring, network monitoring can help improve visibility and correlation. For example, you could trace network connections to the process on the device that generated them.

Further advice and guidance can be found with in the NCSC Logging and protective monitoring page.