shane - stock.adobe.com
Zero trust is on the top of every CIO's and CISO's agenda, typically to overcome the challenges of legacy security approaches in today's modern IT landscape. According to Cybersecurity Insiders, only 15% of organizations said they implemented a zero-trust policy by the end of 2019, yet more than 50% are planning to do so in the coming year. More organizations than ever are in the process of moving to a zero-trust security model, but few are making that goal a reality.
First, we should understand why zero trust has come to the forefront now. Up until recently, organizations relied predominantly on network access and segmentation to separate trusted internal network traffic from the untrusted external traffic. However, once a bad actor breaches the perimeter, the entirety of the data within that network may be at risk. Through analysis and post-mortems, one trend has become clear: Most serious data breaches occur when attackers gain a foothold inside the corporate network. Once into the network, accessed via a system vulnerability, compromised credentials or a gap in the firewall, attackers can move into other internal systems without detection.
Time to get aboard the zero-trust adoption train
Given what we know, organizations are looking to find means by which they can limit the lateral movement of attackers within the enterprise landscape. However, network segmentation and least-privilege network access alone are not enough in today's world. The COVID-19 pandemic has accelerated the uptake of SaaS, which has positioned critical data outside of the regular network boundaries.
This is where the zero-trust security model comes into play. Zero trust assumes that untrusted users exist on both sides of the perimeter. With this approach, there is no unquestioned trust of anything inside the corporate landscape or outside its boundaries. Any device or user trying to connect to internal business systems must be verified before access is granted. Zero trust also calls for governance policies that enforce a least-privilege approach, meaning users are granted the least amount of access needed to accomplish a specific task. To achieve this, organizations often use several technologies, including multifactor authentication, identity and access management, network access control and encryption.
Another key element of the zero-trust approach is to monitor and inspect all requests, not just those originating externally. Even when you have least-privilege access in place, there will always be privileged users who have access to sensitive data in the system, making those user accounts potential conduits for configuration changes and data leakage. As a result, continuous monitoring and analysis of user activities are required to ensure any potential risks can be caught and neutralized quickly.
Zero trust is a model that all organizations with sensitive data should consider. Government agencies often set the standard, as they are the most frequent targets of cyber attacks, but the methods they employ should be used across the private sector as well. Whether it is customer data, employee data, financial data or intellectual property, zero-trust principles function to keep critical assets secure. Inevitably, bad actors will compromise a device or credential, and what happens next depends on how well the organization has instituted least-privilege access and narrowed the scope of what those devices and credentials can do.
The network alone isn't enough to secure data
Implementing a zero-trust model across identities, networks, devices and applications can be the difference between a limited hack with insignificant damage or a major incident with loss of critical data. Any organization that is uncertain about the value of zero trust should start with an audit of their identities, networks, devices and applications. Undoubtedly, they will find cases of shadow IT, zombie accounts and overprivileged users that represent clear and present dangers.
A zero-trust philosophy can immediately begin to address current gaps and provide a foundation for managing risk going forward. With zero trust, the goal is continuous improvement by reducing risk exposure over time, with the acknowledgement that some risk might always be present but less risk is always better than more.
About the author
Kevin Dunne is the president at unified access orchestration company Pathlock, providing expertise to revolutionize the way enterprises secure their sensitive financial and customer data. He was formerly the senior vice president of strategic initiatives at Tricentis; as general manager of TestProject, he ensured Tricentis' commitment to innovation and delivering tools to create better software. With a deep interest in the emerging trends in software development and testing, Dunne is dedicated to collaborating with thought leaders in this space. Dunne came to Tricentis from Deloitte, where he managed testing on large government and Fortune 500 engagements delivering ERP implementations and custom software development.