Traditionally, cybersecurity has been an industry driven by barriers. The better a technology was at separating the good guys from the bad guys and erecting all manner of gates, moats and walls, the better. Companies spent more than $120 billion in 2018 in order to prevent attacks, but still, the breaches persisted – an estimated 765 million people were affected by cyberattacks in April, May and June of last year alone.
Companies are starting to realize that technology alone doesn’t eliminate risk or guarantee that their information stays safe. They’re starting to see that the traditional model of exhaustively evaluating dozens of vendors for months turns into a Sisyphean task without first implementing the right strategy and practices. For many, that means Zero Trust.
Zero Trust has become a rejuvenated buzz-phrase over the past couple of years as it has grown more popular with CSOs and technology vendors alike. Zero Trust’s basic philosophy is “never trust, always verify,” and works on the assumption that you can’t separate the “good guys” from the “bad guys.” Traditional approaches that focused on establishing a strong perimeter to keep the bad guys out no longer work. Resources (data, applications, infrastructure, devices) are increasingly hybrid or outside of this perimeter entirely. With Zero Trust, trust is removed from the equation and the focus placed on continuous verification.
- Why trust is the biggest selling point for cybersecurity companies
- Overcoming the digital deadlock: why trusted data is the critical pillar for transformation success
- As the first fines fly, it’s time to rethink trust in a new, GDPR-era of data privacy
It has three core tenants:
- Verify every user, every time
- Validate every device
- Intelligently limit access
It’s a holistic, strategic approach to security that ensures that everyone and every device granted access to a network, app or service is who and what they say they are.
Cloud has blown up the perimeter
Zero Trust firmly planted itself into the security zeitgeist so quickly in part because the promise of a technological barrier as an end-all, be-all to stop threats and mitigate risk became impossible in the cloud era. As businesses move more and more infrastructure and services to the cloud, adopt ever more mobile devices, and support all manners of remote workers, they’re effectively blowing holes (or at least potential holes) in their own firewalls.
I gave a talk at last year’s Zero Trust Summit, and watched Forrester analyst Dr. Chase Cunningham repeatedly tell the audience that in the age of digital transformation, perimeters don’t exist anymore. The old approaches to security don’t stack up against the sophistication of today’s threats.
“People will say, ‘We’re doing things. We’re working on it,’” Dr. Cunningham said. “Well, guess what Target’s strategy was before the breach? Protect, detect, deter, respond. Guess what OMB’s strategy was before the breach? Protect, detect, deter, respond. That’s not a strategy.
“If you stand up and say, ‘Our security strategy is to work towards a Zero Trust infrastructure.’ there it is,” he continued. “One sentence. Everyone can get behind that.”
It's all about context
In the absence of effective perimeters, the biggest weapon companies have to wield against malicious actors is information. At its core, Zero Trust is about information – having enough context about users, devices and behavior to make a definitive determination that someone is who they say they are.
As Cunningham alluded to, this is essential in the age of cloud and mobile phones. Ten years ago, security strategies relied on a single signal: Was a request coming from inside or outside of the firewall? And it worked! Most users logged into networks, apps and services from their desk at work, or perhaps from a laptop at home through a VPN.
That’s not the case anymore. People need access from their desks, while they’re in line for coffee, or from 30,000 feet in the sky on an airplane. They log in from desktops, laptops, phones and tablets. Instead of one signal, hundreds are needed to make a definitive determination about whether or not to give someone access. Zero Trust ensures that context is provided every time, with every user.
Someone has the right credentials, but are they on a trusted device? They have credentials and are on a trusted device, but are they in an unusual location or logging on at an unusual time? These signals are valuable bits of context that help keep information safe in today’s environment. A Zero Trust approach, combined with the right technology, ensures that companies will have the ability to answer these questions.
According to the 2018 Verizon Data Breach Report, more than 81 percent of breaches happened because of weak or stolen passwords. Armed with this information, it’s irresponsible for companies to consider themselves protected with just usernames and passwords. As online identity grows more and more complex – and ever more important for both businesses and consumers – the Zero Trust approach will firmly plant itself into every CSO’s vocabulary.
Yes, it’s a buzzy term today, but it’s also a foundational cybersecurity strategy for the cloud era.
Corey Williams, Vice President of Strategy at Idaptive
- We've also highlighted the best internet security suites