Traditionally, cybersecurity has been an industry dominated by barriers. The better a technology was to separate the good from the bad and build all kinds of doors, moats and walls, the better. Businesses spent more than €120 billion in 2018 to prevent attacks, but breaches persisted: an estimated 765 million people were affected by cyberattacks in April, May and June of last year alone.
Businesses are beginning to realize that technology alone does not eliminate risk or ensure the security of your information. They are starting to see the traditional model of exhaustively evaluating dozens of vendors over months become a Sisyphus task without first implementing the right strategy and best practices. For many, this means Zero Trust.
Zero Trust has become a rejuvenated buzzword in the last two years as it has become more popular with CSOs and technology providers. Zero Trust's core philosophy is "never trust, always verify" and operates on the principle that you can't separate the "good" from the "bad". Traditional approaches that focused on establishing a strong perimeter to keep bad guys out no longer work. Resources (data, applications, infrastructure, devices) are increasingly hybrid or completely outside of this perimeter. With Zero Trust, trust is removed from the equation and the focus is on continuous verification.
It has three main tenants:
- Verify every user, every time
- Validate each device
- Limit access intelligently
It is a holistic and strategic approach to security that ensures that each person and each device authorized to access a network, application or service is who and what they say they are.
Cloud blew up the perimeter
Zero Trust has become firmly entrenched in the security ethos so quickly, in part because the promise of a technology barrier as the ultimate solution to stop threats and mitigate risk has become impossible in the age of the cloud. As companies move more and more infrastructure and services to the cloud, adopt more and more mobile devices, and support all kinds of remote workers, they are actually creating holes (or at least potential holes) within their own firewalls.
I spoke at the Zero Trust Summit last year and watched Forrester analyst Dr. Chase Cunningham repeatedly tell the audience that in the age of digital transformation, perimeters no longer exist. The old approaches to security are not compatible with the sophistication of today's threats.
“People will say, 'We do things. We are working on it,” said Dr. Cunningham. “Well, guess what Target's strategy was before the breach? Protect, detect, deter, react. Guess what OMB's strategy was before the breach? Protect, detect, deter, react. It is not a strategy.
“If you stand up and say, 'Our security strategy is to work towards a Zero Trust infrastructure.' that's it,” she continued. "A sentence. Anyone can be behind this.
It's all about context
In the absence of effective perimeters, the biggest weapon companies have against malicious actors is information. At its core, Zero Trust is about information: having enough context about users, devices, and behavior to definitively determine that someone is who they say they are.
As Cunningham mentioned, this is essential in the age of the cloud and mobile phones. Ten years ago, security strategies were based on a single signal: was a request coming from inside or outside the firewall? And it worked ! Most users have connected to networks, apps, and services from their desktop at work, or perhaps a laptop at home through a VPN.
This is not the case. People need access from their desks, while waiting in line for coffee, or from 30 feet in the sky on an airplane. They connect from desktop computers, laptops, phones and tablets. Instead of a single signal, it takes hundreds to finally decide whether or not to give someone access. Zero Trust ensures that context is provided every time, with every user.
Does anyone have the correct credentials, but are they on a trusted device? They have credentials and are on a trusted device, but are they in an unusual location or are they logging in at an unusual time? These signals are valuable pieces of context that help keep information secure in today's environment. A Zero Trust approach, coupled with the right technology, ensures that companies will have the ability to answer these questions.
According to Verizon's 2018 Data Breach Report, more than 81% of breaches are due to weak or stolen passwords. With this information, it is irresponsible for companies to consider themselves protected only by usernames and passwords. As online identity becomes increasingly complex, and increasingly important to businesses and consumers, the Zero Trust approach will become firmly entrenched in the vocabulary of all CSOs.
Yes, it's a buzzword today, but it's also a critical cybersecurity strategy for the cloud age.
Corey Williams, VP of Strategy at Idaptive(Opens in a new tab)