Cybersecurity and Zero Trust Access Approach
To improve organizational security, many businesses are implementing tools aligned with so-called “zero trust”— a security strategy based on the concept “never trust; always verify.” The Zero trust concept was the brainchild of former Forrester Research analyst John Kindervag. In 2010, he published a paper that introduced the concept to the IT world. The philosophy of Zero Trust networks comes from an unconventional idea: that the party requesting access to a network originates from the start receives “zero trust”: his network gets zero trust as an indicator of security; in fact, it can give a false sense of security that can cause a company’s security operations center to trust traffic that would normally raise a red flag, just because the user is behind a firewall or VPN network.
Zero Trust governs trusted access, depending on the user, location, and other access details. If the security status of an endpoint cannot be verified, it will not authenticate, whether the identity entering any domain is a customer, a partner, or an employee.
The role of Zero Trust is even more relevant in the work-from-home situation we are now in with the corona virus pandemic. By nature, employees’ home environments are more vulnerable with a higher likelihood of compromise. Working from home has only heightened interest in this identity-based approach to security.
The goal of a Zero Trust Approach is to reduce risk by implementing granular access policies that allow organizations to control, down to the individual resource level, what communications are permitted between different access points on the network. This prevents attackers from entering enterprise infrastructure — whether in the cloud, on-premises, or a mix of both — and moving laterally. Many enterprises establish control of access for two critical starting points on their zero trust security journey. First, they focus on remote applications because they are the foundation of how many distributed enterprises operate today. Next, they concentrate on web access (including email) because it is one of the primary attack vectors for cyberthreats.
The biggest hurdle facing the enterprise is maintaining privacy, protection, and security while keeping resources available so employees can stay productive. The number of remote users and devices requiring access is not going to decrease anytime soon. To that end, the internet of things (IoT) can also be problematic for Zero Trust implementations.
According to Cybersecurity Insiders’ report “2019 Zero Trust Adoption Report”:
- 78% of IT security teams are looking to embrace zero-trust network access in the future. 19% are actively implementing zero trust, and 15% already have zero trust in place. At the same time, about half of enterprise IT security teams (47%) lack confidence in their ability to provide zero trust with their current security technology.
- The highest security priority for application access is privileged account management of users and multi-factor authentication (68%). This is followed by detection of, and response to, anomalous activity (61%) and securing access from personal, unmanaged devices (57%).
- Sixty-two percent of organizations say their biggest application security challenge is securing access to private apps that are distributed across datacenter and cloud environments. This is followed by minimizing exposure of private apps to the internet (50%), tied with gaining visibility into user activity (50%).
- When asked about the benefits of zero trust, two-thirds of IT security professionals (66%) say they are most excited about zero trust’s ability to deliver the least privileged access to protect private apps. This is followed by apps no longer being exposed to unauthorized users or the Internet (55%), and access to private apps no longer requiring network access (44%).
Zero Trust implementation is a gradual process. Defining a big-bang sprint project to move to Zero Trust is unlikely to be successful. Any organization with existing security capabilities should migrate gradually to the Zero Trust model.
Josh Mayfield, “What You Need to Know About Zero Trust”
Cybersecurity Insiders, “Zero Trust Secure Access in 2019”
John P. Mello Jr., “The state of zero trust: A new normal for cybersecurity”
David Canellos, "Why Zero Trust Should Be The Top Security Initiative for 2020" (Forbes)
Louis Columbus, "What's New In The 2020 Forrester Trust Wave?" (Forbes)