Why Zero Trust is the Future of Cybersecurity
As the traditional perimeter security defenses crumbled, new holistic approaches sprang up to fill an ever-widening void. Now security was not confined to keeping the bad guys out, but defending from within. No longer were cyberattacks the purview of basement hackers, but each email attachment, login attempt, and containerized communication was suspect – and subject to cyber subterfuge unimaginable in the early days of digitization.
One of the most widely accepted philosophies now accepted by the security community is Zero Trust, and its far-reaching tenants are enough to make it, and the organizations that adopt it, future-proof for years to come.
What is Zero Trust?
Gartner defines Zero Trust as “products and services that create an identity and context-based, logical-access boundary that encompass an enterprise user and an internally hosted application or set of applications.” Cisco clarifies that it establishes trust “through continuous authentication and monitoring of each network access attempt.”As they put it, “It’s different from the traditional model of assuming everything in a corporate network can be trusted.”
In short, zero trust can be summed up as a trust-nothing doctrine centered around authorizing users and services in multi-point ways, assuming guilt before assigning innocence, and making each entity prove itself.
In keeping with this, Forrester Research, a leading research and advisory firm, states that a Zero Trust solution must accomplish each of the following:
- Ensure only known, allowed traffic is permitted
- Employ the principle of least-privilege and enforce strict access controls
- Log and inspect all network traffic
Ultimately, Zero Trust is the holistic approach to network-wide security in a post-perimeter world. Once it was seen that untrusted baddies resided on the other side of the “wall” while everyone on the inside was safe and trusted by default. Now, nothing is taken for granted and zero trust environments are built to allow free access to nobody and demand full authentication of all.
Why Zero Trust?
The unilateral migration to digital assets over the past decade – accelerated in the past few years – has heightened the need for a scrutinizing security environment. In particular, the proliferation of three technology types has spurred this growth:
- Remote apps. New services spun up to bridge the gap between office environments and work-from-anywhere demands. However, in that rush to market, many offerings were developed without a security-first mindset. To mitigate those built-in vulnerabilities, remote services need to be bolstered with VPN-only network access, MFA access, and antivirus and internet security software at home.
- Cloud apps. The same can be said of cloud apps; in many ways function outstripped safety, and security practitioners must now bear the weight of making sure their cloud workload is secure. It is important to note that while many cloud service providers offer security services, not all do. Those that do offer security offer it to different degrees. Achieving zero trust in the cloud is a particular challenge, as assets and identities are so interconnected. While solutions are myriad, they must all be built on a foundation of full visibility over cloud-hosted assets. They must grant users secure access to those assets, limit privileges and permissions to them, and inspect ingoing and outgoing traffic on a regular basis.
- IoT devices. Because there is no set standard for the cybersecurity of IoT devices, organizations must be particularly vigilant when allowing these onto their network. Be wary of BYODs, innocuous smart devices like wireless printers and key fobs, and even the Smart TV in the break room. IoT devices are notorious for unpatched bugs, and it only takes one vulnerable endpoint for an attacker to pivot onto your network
Pillars of Zero Trust
In a practical sense, Zero Trust embodies security across the three major aspects of any organization: workforce, workplace, and workload. In a zero trust environment, organizations make sure that their employees are properly trained and aware of security risks. They have policies and procedures in place that protect data and enable employees to work safely. Lastly, they ensure that their data is properly protected and that their systems are able to handle the demands of their users.
- Zero trust for the workforce: Make sure users and devices can be trusted as they access systems, regardless of location. This not only includes VPN service, but context-based authentication and secure wireless connection.
- Zero trust for the workplace: Prevent unauthorized access within application environments irrespective of where they are hosted. Base this upon the principle of least privilege, and scan for Shadow IT.
- Zero trust for the workload: Secure access for any and all devices connected to enterprise networks (IoT included). Unaccounted-for machines and vulnerable endpoints need to be discovered, patched, and vetted for vulnerabilities. A weak link could prove a point of ingress for bad actors.
While a zero trust philosophy can be attuned to any resource, it is most useful when it is seen as the underpinning security organization-wide, and represents a holistic approach (rather than an
To move forward with your Zero Trust strategy, employ strict access policies and security controls at the following stages, and revoke any unwarranted or unverified access already given.
Define and defend your entry points. These can be email endpoints, site and service logins, or cloud-based applications. Protecting them with Multi-Factor Authentication protocols is the first step.
Gain full visibility over devices and activity. It’s hard to secure what you can’t see, so partner with an MSP or technology that can help you ferret out Shadow IT and telemetry from all resources across your network.
Device trust. Make sure even BYOD devices have antivirus and antivirus solutions deployed, and segment access to only the resources necessary to the device user. You don’t want any latent bugs hiding on your device to crawl into your company assets and wreak havoc.
Zero trust represents the future of cybersecurity because it is a tool of its time. Rather than chasing threats beyond the fence, it secures from the inside out, making contingencies so that no one user has any more access than they can prove they have – and that should only be what they need. This degree of safety carries across workforce, workplace, and workload assets and gives organizations the framework to create a secure environment that is less susceptible to data breaches.
As the weather gets warmer and the flowers start to bloom, it's a good time to consider giving your cybersecurity habits a "summer cleaning" as well. With digital threats and attacks becoming increasingly sophisticated, it's more important than ever to proactively...
OneLogin is a leading Identity and Access Management (IAM) software tool, designed to simplify almost all business logins with efficiency and security. OneLogin implements one universal login credential for each user to access various business apps and tools.