This article is part of a larger piece that was originally published on IBM’s SecurityIntelligence publication. To read the original article in its entirety, click HERE.
Organizations are increasingly creating zero trust policies to augment their digital security postures. According to Infosecurity Magazine, 15% of organizations say they implemented a zero trust policy by the end of 2019. An additional 59% of participants revealed their intention to create a policy of their own within the next 12 months.
To understand why so many organizations are flocking to zero trust, it’s important to first dive into the benefits of a zero trust policy. Let’s take a look at how it helps organizations respond to their evolving digital security challenges and the strengths and weaknesses of zero trust security.
What is zero trust?
Zero trust is an approach to digital security that lives by the law of limiting access to sensitive data. Zero trust does this by not trusting any user, device or account by default. This approach requires a security team verify and authorize every connection into and throughout the business.
In this framing, zero trust responds to the evolution of digital security challenges beyond what the traditional perimeter security model can provide. This older idea of security rests on the assumption that threats come from outside the network and that all internal users, devices and applications can be trusted. Subsequently, organizations can simply deploy firewalls, virtual private networks (VPNs) and network access controls (NACs) in order to keep computer criminals outside the network while gifting internal users unrestrained access to the network.
The central benefit of zero trust lies in its philosophy of building trust from the ground up. The security team is essentially responsible for authorizing which connections to the business while disallowing all others.
The times have changed, however. Many organizations have undergone processes of digital transformation in which they’ve migrated some of their assets to cloud infrastructure that lies outside IT’s immediate control. They’ve also extended remote access to suppliers, contractors, vendors and full-time employees as they’ve sought to strengthen their flexibility and adaptability for tomorrow’s business challenges.
The advent of COVID-19 is an example of this. Many organizations responded to the pandemic by mandating that their employees begin working from home to observe social distancing. Without access to their in-office resources, these newly remote employees had no choice but to use their home networks and devices to get their work done. This shift forced organizations to migrate even more workloads to the cloud to accommodate all of these remote connections, a move that introduced more one-to-one network interactions requiring verification.
Weighing zero trust’s strengths and weaknesses
The central benefit of zero trust lies in its philosophy of building trust from the ground up. The security team is essentially responsible for authorizing which connections to the business while disallowing all others. This approach enables security professionals to reduce the organization’s attack surface by gaining visibility over everything that’s connected to the organization as well as removing distrusted access points. It also entails using additional digital security controls to provide context and limit what that connection can access, as well as authenticate the integrity of that connection on an ongoing basis.
However, zero trust security does come with its fair share of challenges. Many of these obstacles result from the same developments that helped to diminish the relevance of the perimeter security model. Organizations can’t simply define trust in an inside/outside binary with respect to the network. Threatpost recommends extending their understanding of trust. Here are five different pillars: devices, users, network access, applications and data.
It’s worth some time exploring how trust relates to each of these pillars below:
- Devices: Security teams can’t protect what they don’t know about. With that said, they need to have the means of building an inventory of all hardware and software in their environments. Additionally, they must have capabilities in place that allow them to monitor and control all approved devices based upon the organization’s security policies. They can then use this awareness to distrust unapproved devices.
- Users: A set of credentials provides one means of authenticating users. But, malicious actors can compromise a username and password and thereby impersonate a user by authenticating themselves onto protected systems. Therefore, organizations must implement more secure user authentication and identification methods that use context and other security measures to help further verify the individual behind a login attempt.
- Network Access: Once a user gains access to a system, they should not receive the same type of unlimited freedom to move around that’s granted by the perimeter security model. Otherwise, they could choose to access sensitive assets and thereby jeopardize the organization’s data. To reduce the risks associated with insider threats and other digital attacks, organizations need to limit what users can access. They should specifically restrict users’ access to only those network assets that they need to fulfill their work duties.
- Applications: Organizations must make sure that users can access an application that’s necessary for their work from any of their approved devices. This process ties back into the first point about building an inventory of known hardware and software. To be effective, this program should take into account the temporary connections that could result from contractors, vendors and other third parties.
- Data: Finally, organizations need to make sure data remains protected. This step enables them to not only ensure the integrity of their data so that the workforce as a whole is working with the correct information. It also requires security teams to implement solutions to prevent threat actors from taking that correct data outside of the network and misusing it for malicious purposes.