“Never trust, always verify” isn’t a new concept in cybersecurity, but it’s gaining new credence among organizations as they attempt to mitigate growing cyber risk. Towerwall CEO Michelle Drolet explains why.
The COVID-19 pandemic has caused a dramatic shift in both our personal and professional lives.
As the business environment undergoes rapid transformation, organizations are witnessing an increased demand for cloud adoption, digital transformation and new remote work models. This shift in the business landscape is also accelerating the need for an improved cybersecurity posture.
Businesses Need a Better Cybersecurity Model
In pre-pandemic times, the perimeter approach made sense, as most of the corporate assets and employees were behind a firewall. Post-COVID-19, this model has completely been upended, as a majority of white-collar jobs are being done from home, data is no longer confined to the data center and workloads are rapidly moving to the cloud. A recent IBM study has revealed that more than half of employees are using personal devices and computers to access business resources, while 61 percent of employees indicate a lack of security tools to secure those devices. Cybercriminal activity surrounding the pandemic is also at an all-time high, and this activity is not likely to slow down anytime soon.
Zero Trust: Trend or Fad?
Zero trust is the latest buzzword in the field of cybersecurity, and research indicates that more than 70 percent of global organizations are planning to implement zero trust in 2020.
The concept of zero trust, however, has been around a long time, and it’s probably just another name for what used to be called least privilege access. To make the concept even simpler, it basically means that the best cybersecurity hygiene should be that we mustn’t extend any more trust or access to anyone than we absolutely have to. In other words, never trust, always verify. In a zero-trust world, anything and everybody’s hostile no matter where you’re coming from or what asset you’re trying to access. There’s no implicit trust granted to you because you’re behind the firewall – simply because the firewalls themselves are treated as potentially hostile.
The Business Benefits of a Zero-Trust Architecture
One of the obvious business benefits of zero trust is that it makes things more secure than they are today. Especially when you consider a perimeter-less network, zero trust provides better control, shorter breach detection times and greater insight into network activity. Other business benefits of adopting a zero-trust strategy include:
- It dramatically simplifies overhead/complexity. Once you have zero-trust policies in place, there’s a lot less for IT teams to administer. Users can only access resources they are permitted to, and applications can only communicate with specific devices that can help control lateral movements.
- It supports a remote workforce. Workers are able to access applications they need to be successful in their job. IT staff have improved efficiency and the improved ability to address network errors. IT teams can curtail unnecessary spending on resources and allocate spare budgets to other critical areas. The architecture also helps boost network performance due to reduced traffic on subnets.
- It is easier for the user. Zero trust provides a more simplified logging process due to granularity. Everything happens in the background, and the user doesn’t have to sign-in to multiple applications; users simply use the existing active directory to sign-in and access their resources, which is much simpler.
Tackling the First Mile of Zero Trust
Almost every cybersecurity vendor out there claims to support zero trust – from zero-trust endpoint protection to zero-trust mobile device management to zero-trust remote access.
There’s a lot of confusion surrounding zero trust, which is why 50 percent of cybersecurity professionals cite a lack of confidence in applying the model. To achieve a true zero-trust architecture, it’s important we lay the right foundation.
Here are some recommendations for cybersecurity teams:
Start with Network Access
One of the most important steps in a zero-trust strategy is to make sure nothing actually touches your network. Networks typically have multiple public resources: VPN gateways, intrusion detection systems, intrusion prevention systems, applications on AWS and Azure and cloud storage all are internet-facing public resources. Even if they’re very well-configured, if they’re vulnerable, your organization is vulnerable.
Instead of giving access first and authenticating later, start by authenticating first and giving access later. Use a software-defined perimeter (SDP) to establish trust before any access to resources is granted – even basic network connectivity.
Some experts also compare zero-trust solutions with identity and access management solutions (IAM). However you can go to the IAM application, however you can access it via a networking standpoint, you can try to attack it. Zero trust must start from network access, and IAM is very much incomplete if you do not apply zero-trust authentication.
Use Multi-Factor Authentication
Coupled with controls over network access, multi-factor authentication (MFA) or IAM solutions create an additional layer of security by requiring more than one piece of evidence to authenticate a user. In addition to controls on user access, zero trust mandates controls on device access. It is important for cybersecurity teams to monitor not only who is accessing what, but also which devices are trying to access the network and ensure that every device is authorized.
Create Migrosegments to Control Lateral Movements
Using microsegmentation controls, cybersecurity teams can isolate the network into extremely granular segments. This allows specific communications to occur while blocking all others. Once resources are segmented, access to these resources can be restricted by specifying the users who can access the application. All other users, including cybercriminals, are blocked from using applications they are not authorized to use.
Finally, zero trust is not a destination, but a journey. As workspaces evolve owing to the pandemic and beyond, companies must continue to evolve their cybersecurity posture. It is time organizations make zero trust a core philosophy of their information security strategy.