Employees, with the best of intentions, have started using personal devices that are not managed by the organization, collaborating through public cloud services, and sharing data beyond the safety of the secured network perimeter. As organizations adapted to changes like these, cybercriminals saw an opportunity, focusing their attacks on these newfound network vulnerabilities.
This shift in how employees use devices in these new settings left many organizations unprepared to ensure the security and safety of their data being stored and transmitted outside their secure environment.
These organizations found themselves needing to expand data breach prevention and network protection from their traditional location behind a corporate firewall to include the people, devices, apps, and data found in these new environments.
The subset of organizations that proactively incorporated cloud security into their IT security strategy were able to adapt more smoothly to these changes. The key difference was their adoption of a Zero Trust security model.
What is Zero Trust?
As the name suggests, Zero Trust is to "never trust, always verify." In a traditional network security model, all activity behind a corporate firewall is considered to be "safe" or have "implicit trust," but the Zero Trust framework flips this thinking on its head.
With Zero Trust, you no longer implicitly trust anyone or anything, whether inside or outside of your network boundary. Each connection request is treated as though it originated from an unsecured source. The access request must be fully authenticated, authorized, and encrypted before access is granted. Just-in-time and just-enough-access (JIT/JEA) principles are applied to minimize lateral movement within your network (access to one network resource does not grant automatic access to another).
|
Kent Goodrow, Account Manager, explains Zero Trust. |
Zero Trust Principles
VERIFY EXPLICITLY
Zero Trust uses multiple verification methods and signals to validate each connection attempt. All available data points (identity, device health, location, service or workload, data classification, etc.) are now used to ensure a user is who they say they are.
LEAST PRIVILEGED ACCESS
The idea of least privileged access gives people JEA and JIT access to systems and resources they need to get their job done while remaining productive and protecting data.
ASSUME A BREACH
Every authentication attempt is treated as though it could potentially be malicious or already compromised. A Zero Trust architecture is built on impact containment (micro-segmentation) so the potential compromise of one area will not spread to other connected network elements.
The best way to understand the need for Zero Trust is to contrast it against traditional network security practices.
Consider traditional network security as a medieval "moat and castle." In this scenario, your corporate network is the castle and the moat is the primary defense mechanism to keep the bad guys out. Perimeter security (routers/firewalls) aims to funnel external access to the castle (network) through a single entry point or drawbridge, typically using a username and password to gain entry. Once access is granted to your network, that user is considered "safe" and provided with implicit trust to roam about the "castle," communicating freely with various programs and applications. Having the ability to roam is considered a shortcoming of traditional perimeter security as it allows for lateral movement when a hacker or unauthorized user penetrates the perimeter.
The Case for Zero Trust
Today, many networks are fully cloud-based or a hybrid model of traditional and cloud-based computing. No longer static entities solely sitting safely on-premises within your IT closet. We see many organizations transition to a Zero Trust model driven by the need to conduct business remotely, consume, transmit, and store data in the cloud, adapt to a hybrid work environment, and comply with changes in regulatory requirements. The complexity of our modern work environment needs a modern security strategy that embraces the hybrid workplace, protecting your people, devices, apps, and data no matter where they are located. This is where the Zero Trust security model is the right choice for your modern work environment.
As traditional network perimeter security becomes obsolete, the growing number of cyberattacks and newly exposed system vulnerabilities proves that a single identification security practice (username/password) is not enough to defend against cybercriminals. The goal is to shrink your perimeter-based resources and move to a Zero Trust model as rapidly as your budget will allow. This does not mean you must make the change all at once. Zero Trust can be a gradual journey with a phased approach across the network.
Having a Zero Trust security model promotes the proactive defense strategy that is needed today. Begin with an assessment of your defenses to start down the Zero Trust path, and make adjustments where necessary to adapt to the evolving threat landscape.
If you have any questions about adopting Zero Trust in your organization, please call us at 888.624.6737, or email us at info@systemsengineering.com. Customers, please reach out to your Account Manager
