The X-Files had it right – trust no one. The massive shift to remote work and a continually expanding attack surface has made the concept of trust-based security a naïve one at best, dangerous at worst. But the upshot is that everything we’ve seen and experienced in the past year has helped seed the need for a zero-trust based approach.
Let’s look at some of the major trends and factors of the past year (including the erosion of barriers between corporate and home offices and the expansion of targets) and how these risks can be mitigated using a zero trust approach.
Trust-based security has to go
The perimeter has expanded rapidly and dramatically in response to the pandemic, and cybercriminals have been quick to respond. Over the past years we have seen an uptick in attempts to exploit vulnerabilities in consumer networking and connected devices – in parallel with the transition to remote work. It’s probable that attackers are trying to disrupt the less than enterprise-grade security inherent in many of these devices now that they’re effectively part of the corporate perimeter.
That means employees could be gaining access to corporate resources from a compromised environment. It’s a new security model that many organizations are not familiar with. And due to this newly expanded attack vector—combined with overtaxed security teams, a fragmented perimeter, and highly motivated cybercriminals leveraging new cybercrime-as-a-service offering—we have seen a rise in cybercrime, including a staggering seven-fold increase in ransomware targeting organizations.
The ongoing expansion and erosion of the perimeter underscores the need for a new approach. This approach needs to include extending deep security monitoring and enforcement to every device—trusted or otherwise. Interpersonal relationships may be built on trust, but it’s increasingly apparent that zero trust builds healthier IT relationships. An unexpected silver lining to the current mass experiment in remote work is that this transition could spell the end of trust-based security.
Introducing zero trust
If trust-based access won’t work, what will? Zero Trust Access (ZTA) is a network security concepts that believes that no one and no device, whether inside or outside the network, should be trusted unless their identification has been thoroughly checked.
Zero-trust operates on the assumption that threats both outside and inside the network are an ever-present reality and that potentially every user and device has already been compromised. It also treats every attempt to access the network or an application as a threat. And as a result of these assumptions, network’s administrators need to redesign their security strategies and solutions to support rigorous, trustless security measures.
Reaping the benefits of zero trust
A zero trust philosophy can help organizations with security in terms of:
- Protection of customer data – Zero-trust eliminates the wasted time and frustration that comes from the loss of customer data, along with the cost of losing customers who no longer trust the business.
- Consistent security across all threat vectors – a zero-trust approach to security provides a consistent approach to protecting access to assets on the core network, branch locations and the cloud, protection for and from remote workers, and extends security to the digital supply chain.
- Reduced redundancy and complexity of the security stack – When a zero trust system handles all security functions, you can eliminate stacks of redundant firewalls, web gateways, and other virtual and hardware security devices.
- Reduced need to hire and train security professionals – A central zero-trust system means you don’t have to hire as many people to manage, monitor, secure, optimize, and update security controls. And given the ongoing cybersecurity skills gap, this is a huge benefit because, according to the latest (ISC)² Cybersecurity Workforce Study, the number of additional trained staff needed to close the current skills gap is 3.12 million professionals.
Creating a zero trust environment
Setting up ZTA includes establishing pervasive application access controls, strong authentication capabilities, and powerful network access control technologies.
By using the zero trust model for application access, organizations are able to shift from only relying on traditional virtual private network (VPN) tunnels to secure assets being accessed remotely. Part of the challenge is that VPN often provides unrestricted access to the network, allowing compromised users or malware to move laterally across the network looking for resources to exploit.
ZTA network connections address this issue by only granting access to network resources on a policy-based, per-session basis to individual applications only after devices and users have been authenticated and verified. The system applies this policy equally whether users are on- or off-network, providing the same zero trust protections no matter from where a user is connecting.
Secure authentication plays a pivotal in the implementation of an effective security policy. Many of today’s most damaging security breaches have been due to compromised user accounts and passwords, and these breaches have been exacerbated by users with inappropriate or excessive levels of access. Instead, organizations must adopt the practice of applying “least access” privileges as part of their access management so should a user account be compromised, cyber adversaries only have access to a restricted subset of corporate assets.
And to extend that level of protection further, a zero trust approach also empowers organizations to identify and secure unknown IoT endpoint and devices entering the network. Integrated endpoint visibility, granular control, advanced protection, and policy- and context-based endpoint assessment work together to ensure organizations are protected against compromised devices. Organizations need to establish a level of visibility that sees every device on the network through the lenses of device identification, profiling, and vulnerability scanning. Tying this analysis with dynamic micro-segmentation enables further control over devices on the network.
Zero trust, maximum security
In today’s work-from-home world, organizations need to find ways to trust no one while still allowing legitimate users and devices to access the network and needed applications so they can do their jobs. And in a world where performance and user experience are critical, strengthening security cannot result in slowing down users and processes to a crawl—which require planning your zero trust strategy well. That includes implementing access controls for the network and applications and deploying robust authentication capabilities that don’t hamper productivity. By establishing a zero-trust access strategy, you’ll protect customer data, defend and control access to crtical assets, bypass the need to hire more scarce security professionals, and at the same time, actually reduce security complexity.