Companies now spend an abundance of time, energy, and dollars building trust with their various stakeholders—except, that is, when it comes to those accessing their computer networks. The goal there is to thwart cyber attackers, especially as they become ever-more sophisticated. And that requires erasing implicit trust from internal networks. To get there, the familiar “trust, but verify” approach is being supplanted by “never trust, always verify” as expressed through a “Zero Trust” security framework, with a starting assumption that all network traffic, no matter its pedigree, may be malicious. The aim: restrict network access for all users and devices, apply security controls that hide applications not required by the user, and authenticate and continuously validate identities. The ultimate goal is to enforce a risk-based and contextually aware access control posture for all network connections to corporate applications and data, whether hosted on premise or in the cloud.
The Zero Trust concept represents a dramatic shift from the castle-and-moat approach, which focuses on fortifying the perimeter to deter outsiders from accessing corporate data, while implicitly trusting insiders. In the past, IT infrastructures had well-defined perimeters. But those boundaries have grown blurry as a result of evolving business models, shifting workforce dynamics, and complex and hyper-connected IT environments. Companies have migrated their applications from data centers to the public cloud, with endpoints expanding to include mobile devices, bring your own device (BYOD) technologies, and a proliferation of web-enabled smart devices (e.g., Internet of Things [ IoT]). Far from contained, the modern technology ecosphere can look dangerously ubiquitous.
Organizations can calculate the potential costs of not investing in Zero Trust. The average cost of a data breach has reached $4.24 million, an increase of nearly 10% over last year, according to a recent study.1 In instances where higher levels of remote work were a contributing factor, that cost rose to $4.96 million. High-profile ransomware threats that effectively lock users out of their own systems and demand hefty payments before giving them the key (or not) have drawn attention to the costly reputational—and possibly legal—ramifications of a cyber breach. Supply chain infrastructures, targeted through third-party software and service providers, have also been victimized. Moreover, the pandemic has likely increased leaders’ awareness of the cost of business disruptions, while having to equip a remote workforce highlighted the need to modernize their capabilities for enabling secure remote access.
C-suite executives in the midst of leading or co-leading a broader transformation initiative, for example, may want to make modernizing their security model part of that effort. And for the many businesses offering a hybrid work model, the security model needs to adapt to that shift.
In the past, well-constructed firewalls were sufficient to deter intruders. Companies now need modern armaments to fend off attackers from many endpoints, including employee devices and IoT-enabled technologies. Companies also need to secure and manage hybrid and multi-cloud environments alongside legacy infrastructures—an effort that can become mired in complexity and operational overhead, as well as talent and skills shortages. Zero Trust, which is both a methodology and a mindset, can help accomplish the task of securing an increasingly intricate IT ecosystem by applying various technologies and governance processes to an ever-challenging risk landscape.
The phrase “Zero Trust” refers to the fact that any connection request to a corporate system or network must be treated as if it were a breach. Traditionally, remote users gained access by signing on to a virtual private network (VPN). Their assigned IP address served as a free pass, enabling them to go anywhere in the network. Malicious intruders, for instance, might be able to take advantage of this unfettered access to move laterally within the network by exploiting system vulnerabilities and compromised credentials in hopes of gaining access to sensitive information or critical systems. Zero Trust Network Access (ZTNA), by contrast, employs security controls to expose only the applications a user needs, thereby preventing anybody from exploring any part of the network to which they don’t need access.
In addition, the user’s network access can be assessed, with access modified dynamically based on changing environmental conditions or user behavior (e.g., detection of malware on the endpoint may result in loss of network access or infrequently accessed applications may require additional step-up authentication). The ultimate goals of a ZTNA solution are to enforce the concept of ‘least privilege’ and contain the blast radius of a potential cyber-attack.
Prior to setting off on a transformation to Zero Trust, companies should develop a clear understanding of what they need to protect, determining where the assets that most need defending reside, who and what should be able to access these assets, and under what conditions. They should also determine the criticality of different types of data, the distinct classifications they want to apply, the environmental conditions when access occurs, and, ultimately, which users and devices need privileges to access that data. If an attempted access request looks suspicious, a ZTNA solution should be designed to block their path.
Implementing Zero Trust typically requires breaking down the company’s IT security domains into its foundational elements. Rather than even attempt to apply Zero Trust across the entire business, business leaders might want to analyze the seven Zero Trust domains that support IT security, prioritizing them and mapping a plan for moving up the maturity model for each. Maturing Zero Trust capabilities should take a risk-based approach to enforcing “least privilege” access, meaning that users and applications should be able to access what they need and nothing more.
Below is a list of the seven Zero Trust domains and associated descriptions within the context of this leading framework.
- Identities serve as the new perimeter and are the core component of any Zero Trust architecture. Centralize authentication and authorization to enable your workforce to access enterprise resources quickly and securely with streamlined authentication and access management.
- Workloads are applications or services being accessed by users—whether they are hosted on legacy infrastructure or in cloud environments. They can be hardened, segmented, and monitored on a granular level with adaptive actions taken in the case of risk, such as limiting access or blocking uploads to specific applications.
- Data should be at the core of an effective Zero Trust strategy. It should be classified and protected in-transit over the network, at rest when stored in the cloud, or on-premises, with advanced data discovery, encryption, and loss-prevention capabilities in place to protect sensitive data.
- Networks carry traffic between users, devices, and applications, with controls that segment (block unintended network communications), monitor, and analyze activity, operating on the assumption that all network connection requests are inherently untrustworthy.
- Devices can entail managed/known types as well as unmanaged (e.g., BYOD) and smart devices (e.g., IoT) that connect to an organization’s enterprise assets. Devices should be subjected to continuous assessment for risks and threats; the identity of each device, as well as the user logged in and other contextual signals, should be considered to inform risk-based adaptive access decisions—for instance, what applications that user frequently relies on—to catch anomalies that could indicate a potential intruder.
- Telemetry and analytics collects data from relevant security controls into a centralized monitoring system for event correlation and advanced analysis that can detect suspicious and potentially malicious behaviors. Threat intelligence should also be integrated to enable a threat-driven security posture for the organization.
- Automation and orchestration enables a more proactive security posture by automating detection, prevention, and response actions through integrated security controls. Security operations can ultimately be more productive through automation of investigative tasks in response to an ever-growing flood of security alerts. Integration of the organization security systems allows for orchestration of pre-defined incident response activities in near real-time to not only detect threats but also take action to isolate and neutralize them.