Francis O’Haire, Group Technology Director, DataSolutions informs us about Zero trust and the way this has developed over time in businesses.
Technology doesn’t sit still. It has to evolve constantly. It needs to update, to adapt while the landscape all around it seems to change at a seemingly ever-increasing pace. Technology is constantly called upon to deal with challenges, to solve problems. One area of IT that has borne witness to all of this, a subject capable of grabbing the headlines in mainstream media and the more specialized press, is cybersecurity (or the apparent lack of it). Breaches and hacks, bad actors and cyberthieves – not a day seems to go by without another story regarding a well-known company being compromised. Big or small, going after an organization (specifically, its digital assets – data, information) is big business for cybercriminals. Why kidnap a wealthy business person for a ransom when you can do so with a few clicks on a keyboard? Why risk a bullet in a botched hold-up when you could strike gold via a company server?
Today, IT security faces all sorts of challenges, not least of all from a cybercriminal cabal who are collectively able to adapt, outsmart new defenses and make everybody else play catch-up. Hardly surprising then that we have arrived at a way of thinking whose mantra is, ‘trust nobody.’ When your default position is to verify anything and everything that attempts to connect to your IT systems before access is approved, then you have arrived in the world of ‘Zero Trust.’
Once upon a time, firewalls were the darlings of IT security – they protected an organization’s networks from any external threats. While firewalls could offer a reasonable defense against an intruder on the outside trying to gain access to the inside, they relied upon the fact that everyone inside was ‘friendly,’ i.e., if an attacker did gain entry to the inside, then they could pretty much run amok and cause havoc as they pleased. And if you consider that the overwhelming majority of network traffic in a data center is East-West traffic (between internal systems), then that traffic is not getting inspected by any firewall security. In short, nothing is preventing any ‘sideways’ travel from one compromised system/device to a ‘clean’ one.
These fairly straightforward concepts of inside a network vs. outside a network seemed to make sense. People worked in offices with centralized systems and networks, data and resources were also relatively centralized, so it was much easier to keep a lid on things. However, the whole IT landscape has changed today- sensitive data and information, company resources, which are now likely to be spread across data centers, branches, clouds, and mobile devices. Under these conditions, traditional firewall security doesn’t make the cut – there is no longer a clearly defined perimeter.
It is still impossible to defend against every single iteration of a cyber-attack – there is no silver bullet, no one single security solution that fits all. However, it is possible to look at IT security from an alternative angle, seeking to provide a more robust approach to system access. It is fair to say that there is no visible end to threats/vulnerabilities – almost impossible to control. However, system access is something that you can control; you can measure it, quantify it. By concentrating your efforts on system access, you take the driving seat concerning security. This explains the idea behind Zero Trust. It isn’t a single product or solution rather an overarching theme whereby an organization nullifies any threat seeking to gain access to their system. In a Zero Trust environment, effectively, you trust nobody. Indeed, over a decade has elapsed since Forrester described this environment where no system or user is trusted (inside or outside the corporate network) without being positively identified and authorized.
Zero Trust comes at a time where organizations of all shapes and sizes have had to deal with changing working habits. While things like remote working and working from home were already familiar to a minority, COVID came along, and suddenly the majority of us found ourselves working like this. The demand for accessing your organization’s networks from outside of the traditional perimeters probably went through the roof. Suddenly, corporate intellectual property, client information, financial data, and any other company resource needed to be accessible to workers via their smart devices or home laptops. Suddenly your organization is largely operating outside of the traditional centralized network. Great news for cybercriminals who now have a much larger attack surface to consider, an increase in potential entry points, more weak spots. Little wonder then that a Zero Trust approach to security makes all the sense in the world.
- Protect your data with a multi-tiered approach
- What can the IT industry expect in 2022? More of the same: change
- Zero trust architecture is not just ‘nice to have’
- Why Zero Trust is Vital – and Achievable – for Endpoint and IoT Security
We have already stated that Zero Trust is no one single product or solution. Achieving Zero Trust involves other technologies such as strong identity management and authentication and a change in processes within the organization. However, as we grapple with a changing work landscape, multi-access networking requirements, new mobile hardware, etc., Zero Trust affords us a secure way forward in such highly dynamic times.