Love it or hate it, you need zero trust, writes Kate Adam, Senior Director of Security Product Marketing, at networking and cloud product company Juniper Networks.
Over the past two years, the enforced working from home that the COVID-19 pandemic necessitated has led to a spate of increased cybersecurity attacks. With the era of hybrid work now fully in swing, the workforce is distributed across multiple locations, expanding the network perimeter far beyond the traditional confines of an organisation. As employees work from home, the door to network vulnerabilities is more open to attacks through non-managed devices.
The cyber risks posed by the COVID-19 disruption and ever-growing network complexity have been closely monitored and fretted over by executives. In a recent Deloitte survey of C-suite executives, 72 percent said their organisations experienced between one and ten cyber incidents and breaches in the last year alone. This type of persistent threat – and the increasing difficulty that organisations face when trying to prevent cyber-attacks from happening – is more than enough to foster a deep sense of distrust among executives towards external and internal risks alike.
Eliminate the assumption of trust
That sense of distrust amongst CEOs and CFOs is likely a major reason why the term Zero Trust has so much appeal to them. They have lost trust in everyone and everything in their network and can no longer be confident in assuming the authenticity of users. When they hear simple refrains like “never trust, always verify,” executives are all-in and instruct their security teams to go make it happen. Ideally sooner rather than later.
For IT managers and security professionals, however, Zero Trust often evokes a different emotion: hate. The C-suite is invested in the concept because of its relative simplicity and is eager to progress the approach, but the reality is that implementation is rather complex. It requires a fundamental shift from protecting the network perimeter exclusively, to a security model where internal and external users alike are repeatedly checked and authenticated before they are allowed to have access to a given resource. It’s not just about incorporating new tech but also an entire shift in philosophy.
But whether Zero Trust brings feelings of comfort or despair, there’s little question that it represents the future of network security. We now live in a hyper-connected world where the concept of a perimeter has essentially dissolved for most modern enterprises, with devices, applications and workloads operating anywhere and everywhere.
Moreover, threats are becoming increasingly sophisticated. Outsiders trying to penetrate outer firewalls have been replaced by targeted phishing attacks, malware and other techniques that can be used to turn an insider – a trusted user or application – into an attack vector. The most impregnable outer security perimeter can do little to guard against such threats.
Networks: from castles to cities
In the past, networks were like castles with hard-to-penetrate outer systems of walls, moats and other defences. However, in an era of IoT and remote work where data is being generated, processed and consumed at the edge, networks are more like cities where security teams must think like mayors, not feudal lords. Mapping, coordination and preparation now take precedence over building infrastructure. And this is at the heart of the challenge facing organisations looking to make the move to a new security model.
While Zero Trust has value across all industries and sectors, there is no one-size-fits-all solution, increasing some IT teams’ fear over implementing it. Zero Trust requires a multi-year commitment to identify relevant business drivers, existing capabilities and the most relevant use cases. It requires working through multiple layers, including workforce security and trust, devices, data and applications as well as the network itself.
Unlike a pure technology solution, Zero Trust also requires broad culture change. For this reason, organisations need to embrace softer factors such as communications, training programmes, awareness and operational adjustments. Leadership and key stakeholders also need to endorse that the strategy aligns to the business.
Easier
As a result of the growing interest in and need for Zero Trust, new tools and solutions are being designed to give organisations an easier on-ramp to this approach. The latest tools can extend protection all the way from users to workloads and span both cloud and on-premises networks. The challenge to understand applications and users doesn’t go away, but the implementation aspects are starting to become more streamlined. Ultimately, the goal is for visibility and enforcement to extend fully across every point of connection on the network, without preventing legitimate users access to the content that they need to do their jobs.
Even though Zero Trust is a deceptively simple concept – trust no users, devices or applications – creating the underlying architecture to support it is no small feat. Regardless, Zero Trust points the way forward to a more secure future and is becoming non-negotiable for modern enterprises.
