We consume and manage mountains of data every day. Not just music and TV streaming, either. As we work from home in record numbers, we continue to access documents, applications and corporate databases using a range of devices connected to a plethora of Wi-Fi and cellular networks. We collaborate with colleagues, and communicate with external vendors and customers, via email, cloud services and a host of unified communications tools.
Every time corporate data is accessed, particularly when done remotely, there are various ‘attack surfaces’ that can be vulnerable to attack. Over the past couple of decades, enterprises have invested heavily in security tools such as firewalls and VPNs designed to identify and stop threats, while giving remote workers access to critical data. Although flawed, this has been a fairly successful way of protecting data.
In the past decade, however, security experts have realized the shortcomings of these tools. A hacker who successfully steals the login credentials of an unsuspecting employee may be able to freely explore and exfiltrate an enterprise’s valuable resources, without the company’s IT team even being aware.
The rise of Zero Trust
This has given rise to several changes, including the adoption of multifactor authentication (MFA) and other endpoint management tools. But it also helped popularize the concept of Zero Trust, a term coined in 2010 by former Forrester Research analyst, John Kindervag.
The basic idea is that Zero Trust helps prevent successful data breaches by removing automatic trust from an organization’s network architecture. In other words, an employee or a device trying to access an application or data has to prove their identity, based on a “never trust, always verify” process of authentication. The goal is to provide Layer 7 threat prevention while giving IT teams granular policy and user-access control.
Essentially, anyone or any device attempting to connect to a network asset is treated as untrustworthy. The model emphasizes the use of device and user credentials as the basis for granting or denying access to specific asset.
Recent news about successful ransomware attacks helps shed light on a key reason why Zero Trust is so necessary. In one instance, Japanese vehicle manufacturer Honda was forced to temporarily halt global production and shipping of vehicles due a suspected ransomware attack that targeted one of its internal servers and quickly spread.
In another attack, the CEO of Israeli software company Sapiens, Roni Al-Dor, is believed to have paid hackers $250,000 in Bitcoin in order to avoid having the computers shut down.
What is the common thread in these attacks? It is likely that the hackers in each case took advantage of the security vulnerabilities caused by the enormous increase in remote work. Employees were less safe working at home than they had been at the office.
Why we need Zero Trust
The Zero Trust model of security destroys this castle-and-moat distinction. Instead of focusing on a perimeter based on ‘owned’ networks, organizations need to defend themselves by assuming that anything trying to access data may be a threat.
For the most part, the castle itself no longer exists. Roughly 98% of companies maintain some kind of on-premise data, however the shift to the cloud means that companies no longer operate massive data centers serving a contained network of systems.
Zero Trust for the remote, decentralized workforce
As an increasing number of employees work from home, away from the relative protection of an office network, the idea of a truly secure perimeter has gone by the wayside. There are three key reasons why Zero Trust architectures make a lot of sense for our new breed of decentralized organizations, what you could even call ‘deskless’ employees.
- More data. More users and more devices than ever are accessing data and applications, hosted in a mixture of public cloud, private cloud, or on-premise, making it harder to establish and enforce a network perimeter.
- Bigger attack surface. The increase in traffic and scattered nature of data go hand-in-hand with an increase in attack surface, caused by users working from virtually anywhere on any device and any network.
- Lack of visibility. This has been a long-term issue for IT teams grappling with control of devices outside corporate-managed network environments.
Deploying a Zero Trust architecture
Zero Trust is a concept and not a product in the strictest sense. However, products built around this framework are starting to take shape within the security landscape. One of the most promising is Zero Trust Network Access (ZTNA), otherwise known as Software Defined Perimeter (SDP).
As ZTNA and other technologies based on zero trust gain traction, it is unlikely that they will completely replace existing tools such as VPNs. The beauty of zero trust is that in most cases it can be layered onto any established solutions to augment their effectiveness with greater policy controls and far superior network visibility. It promises to be a huge advancement in keeping data secure, no matter where employees may be.