Zero Trust security will be key in the new normal
Gene Tang
This time last year, I was planning an overseas vacation to Mount Fuji in Japan. Prior to booking that trip, I had met with a large traditional insurance organization to discuss the merits of cloud security. The organization’s IT structure had been the same for the last 15 years, powered by on-premises server infrastructure. The team’s position was firm: “Why fix something that’s not broken?”
The team was most skeptical about data security in the cloud. Outside of the organization’s “walled garden,” they didn’t believe it was possible to ensure data confidentiality and integrity. However, despite their apprehension, they agreed to start their cloud journey over the course of the next few years.
Adjusting to a new normal
“[Because of COVID-19], we saw two years of digital transformation in two months.” – Satya Nadella, Microsoft CEO
Fast forward to 2020. COVID-19 has challenged the norms for organizations around the world. From an IT standpoint, we’ve also been forced to work differently. Where choices had been a balance of “doing it right” versus “keeping the business afloat,” COVID tipped the balance toward staying afloat. As a result, businesses were forced to make unprecedented, risky changes in an instant.
COVID-19 was a major shock for traditional enterprises. For many, continuity planning had only been theoretical and never properly tested. The “walled garden” security strategy finally broke, creating a hindrance in this new normal. VPNs were suddenly overwhelmed, causing significant usability problems. The traditional enterprise is in a better state today, but not without drastic and potentially risky changes to their security stance.
“Now a good chunk of your critical assets are behind the firewall, but all of your employees are not.” – Christopher Kenesssey, NetMotion CEO
Businesses that were well into executing on their cloud strategy pre-COVID-19 are faring better than those that weren’t. This is because those businesses had the opportunity to strategize and prepare for the “new normal” before it arrived.
As IT teams around the world pivot toward remote and distributed services, a new model of security is needed. The Zero Trust security strategy is best aligned to provide security across environments.
What is Zero Trust security?
“Never trust, always verify.” The view of Zero Trust security is that we should not trust anything — inside or outside of our system perimeters. The strategy enforces the lowest common denominator of trust — zero.
As we begin to blur the boundaries between “trusted” and “untrusted,” Zero Trust security becomes more relevant. Not owning your cloud-based infrastructure or having end-users connect via untrusted, BYOD devices means not trusting anything without verification — users, devices or systems.
Contrast this against the traditional “walled garden” or perimeter approach, where a clearly defined firewall perimeter exists between trusted and untrusted. People, data or systems in the perimeter are considered trusted and anything outside of that is untrusted. Traditional security approaches simply don’t work in a world where cloud and remote services are now the rule, not the exception.
Zero Trust security principles
Zero Trust security is a strategy, a mindset and an incremental journey for IT security. While there are technologies and products to help with achieving Zero Trust, it is not a specific technology or product. Instead of a “rip and replace” of your current IT security, Zero Trust augments and enhances your current security strategy.
The key principles of Zero Trust security are:
- Verify explicitly: Authenticate and authorize based on all available data points (identity, location, device health and an AI/ML derived behavior baseline).
- Use least-privileged access: Provide just-in-time and just-enough access to the user.
- Assume breach: Constantly think about breach scenarios including post-breach attacker lateral movement, and work to prevent these scenarios. For example, ensure end-to-end encryption between sessions, leverage micro segmentation, and maintain security analytics to provide a deeper view of threats.
A comprehensive Zero Trust security strategy applies those principles to provide end-to-end protection across your IT components and digital estate, including:
- Identities: People and services accessing the system.
- Devices: Devices used to access services, such as BYOD devices.
- Applications: Applications and APIs that consume services.
- Data: Information that sits in parallel with applications.
- Infrastructure: Platforms that provide the environment to host these components (cloud VMs, servers or containers).
- Networks: Links that allow these components to interact.
Start your Zero Trust security journey
We were lucky enough to go on our Japan holiday before COVID-19 took over the world. On that trip, my wife, an avid snowboarder, convinced me to try snowboarding. I thought that I would hate it due to my poor hand-eye coordination.
We started on the beginner’s slope, where my wife taught me how to turn and stop. Though it initially felt counter-intuitive, I managed to keep my feet locked on the board and maintain my balance. Soon after, we transitioned to more advanced skills like flat-spins and small jumps. It was great! I quickly transitioned to more advanced courses on the slopes.
The Zero Trust security journey follows a similar path of learning, practice and confidence. Start with a specific use case within your organization and rethink it in the context of Zero Trust security. Slowly expand your approach across more use cases to increase the maturity of Zero Trust in your organization.
How do you rethink security architecture and processes in the context of Zero Trust security? Start by taking our free, online Cybersecurity Risk Self-Assessment to uncover common security gaps in minutes.