The mainstay of cybersecurity practices has been that bad actors are 'out there' and defense mechanisms secure workloads and data 'in here.' This drives the perimeter-centric idea of enterprise security, focusing primarily on inbound attacks with firewalls and passwords to protect workloads and data.
However, after the pandemic and the consequent acceleration in digital transformation, the challenges for protecting users and workloads have increased significantly. Boardroom meetings went virtual, sensitive company data was shared among geographically distributed teams, and employees now access enterprise servers via multiple devices to stay connected.
As the corporate IT infrastructure changed, the bad actors also evolved by changing methods and volume of attacks. The perimeter-centric view of security no longer holds in a digital, distributed IT environment with multiple failure points, which makes it easier for bad actors to scout and exploit vulnerabilities.
Often, these vulnerabilities are people. Per Verizon's 2023 Data Breach Investigations Report, 74% of security breaches can be traced back to human error, which refers to an employee either purposefully doing something they should not or falling prey to bad actors attaining access or information from them. Over the years, the cost of a single breach has only escalated, standing at $4.3 million in 2023, according to IBM's latest Cost of Data Breach Report.
Paranoia is good: Why Zero Trust is the Need of the Hour
The threat exposure landscape has evolved into a complex mesh, creating a need for something more than a perimeter-centric security approach.
Zero trust is an approach that leads to a simpler network infrastructure, a better user experience, and an improved cybersecurity posture. It enforces access policies based on context, including a user’s role and location, their device, and the data they are requesting. It blocks inappropriate access and lateral movement throughout an environment.
And just as with any other foundational shift, the zero-trust security approach comes with its challenges.
Laying the Groundwork for Zero Trust
Enterprises find it difficult to pivot to a zero-trust security model because, at its very core, it calls for a mental shift away from the three crucial pillars of traditional security approaches:
- Trust perimeter: Traditional security practices assume personas that can be trusted with access. It works with the perimeter-centric view that establishes a network-based connection and grants access to systems on that network. Zero trust turns this on its head and assumes a trust perimeter is insufficient, and instead requires every stakeholder to establish identity and the need for access on a workload-by-workload basis.
- Networks provide security: Traditional enterprise security revolves around firewalls, virtual private networks (VPNs), or dedicated physical network connections. These have proved to be inadequate, expensive, and difficult to manage. The zero-trust security model eliminates the need for many of these network technologies, freeing up costs and providing greater flexibility.
- IAM-first focus on people: A zero-trust architecture offers a secure connection to workloads with accurate user privileges, while ensuring applications have up-to-date Identity and Access Management (IAM) policies.
Five-Point Enterprise Strategy for Zero Trust
Zero Trust starts with "Never trust, always verify," but goes beyond identity and secure access. Threats can emerge externally and internally, necessitating a comprehensive risk assessment that pinpoints vital data, IT assets, potential threats, and potential attack vectors, including those originating from insiders.
Here are five critical points enterprises need to consider when implementing a zero-trust security approach:
- Map the data flow: It's essential to understand which users or applications require specific access. Deploying IAM with multi-factor authentication and the principle of least-privilege access, backed by regular audits and adjustments is key.
- Context-based policies: The zero-trust approach assumes policies verify access requests based on context. This includes the user identity, the device the request is coming from, the location of the request, the type of data to be accessed, and the application being accessed. This ensures that only those with established 'reason' can access specific assets and prevents an ‘untrusted’ network from gaining access to workloads and data it is not entitled to.
- Reduced attack surface: Because users are connecting directly to applications and other resources they need, they are not connecting to a network. This eliminates lateral movement and prevents compromised devices from infecting other resources. With this architecture, the applications are invisible to the internet, so they can't be discovered and attacked individually.
- Make employees security aware: To achieve optimal results, it is essential that all employees fully understand and adhere to proper security practices. Rigorous training programs must be implemented to ensure everyone is equipped with the knowledge and skills to verify before trusting. Training needs to be an ongoing process, and tests should be run regularly to measure improvement and see who might need more focused training.
- Test via mock drills: In all environments, it's imperative to have plans for implementing patches for discovered vulnerabilities updates across tools with a process to understand the impacts on other security tools and for incident response. However, simply having a plan is not always sufficient. Red team and purple team drills should be conducted regularly. Most importantly, tabletop drills for incident response need to be executed regularly so that all parties understand their roles in the event of an attack, and, in the worst case, how to execute a cyber recovery.
These actions will help organizations ensure consistent verification, preparedness, and preparation for attacks that will happen, regardless of the defenses in place.
By the time you finish reading this article, a hacker could have attempted to access privileged or critical information through a phishing attack, malware, or social engineering maneuvers.
The need of the hour is a security strategy where policies are applied based on the context of least-privileged access and strict user authentication – not assumed trust. In other words: never trust, always verify.
George Symons is Vice President of Strategy for Cloud, Infrastructure, and Security at Persistent Systems.