Old cybersecurity habits increasingly inadequate against evolving threats.
The Whack-A-Mole approach to cybersecurity doesn’t work anymore. Years of continually adding new security products for every emerging threat has only resulted in overly complex and often counterproductive security environments. To reverse this trend, more organizations are looking to implement a comprehensive zero-trust approach to security.
Zero trust represents a radical shift from traditional “implied trust” models that assume users or devices inside the network perimeter are inherently safe. However, the steady rise of data breaches, ransomware attacks and other forms of cybercrime over the past decade makes it clear that a new approach is necessary.
“We can’t fall into old habits and try to treat everything the same as we did in the past,” said Richard Addiscott, Senior Director Analyst, Gartner. “Most security and risk leaders now recognize that major disruption is only one crisis away. We can’t control it, but we can evolve our thinking, our philosophy, our program and our architecture.”
Mainstream Support
Zero trust instead assumes that there are malicious actors both inside and outside the network and denies access to all users, applications and data by default. Combining access controls, network segmentation, multifactor authentication and other techniques, zero trust enforces continuous verification of all users and devices even after they’ve been granted access. Additionally, it limits access on a strict need-to-know basis.
There is widespread support for the model. One hundred percent of security professionals say zero trust is important for reducing cyber risk, according to a study from Information Security Media Group. In a separate survey from the Cloud Security Alliance, 94 percent of security pros say their organizations are currently implementing elements of a zero-trust architecture (ZTA).
The federal government has mandated that all agencies adopt zero-trust by the end of 2024, and two-thirds of agencies expect to meet the requirements on time or ahead of schedule, according to a survey commissioned by defense firm General Dynamics Information Technology.
“As our adversaries continue to pursue innovative ways to breach our infrastructure, we must continue to fundamentally transform our approach to federal cybersecurity,” said Jen Easterly, Director, Cybersecurity and Infrastructure Security Agency (CISA). “Zero trust is a key element of this effort to modernize and strengthen our defenses.”
A Process, Not a Product
It’s important to keep in mind that zero trust is not a single solution but rather a framework requiring everyone and everything accessing network resources to be verified and validated. It isn’t a product to be installed over a weekend. In fact, most analysts say achieving zero trust can be a years-long process requiring incremental improvements to the security environment.
The zero trust framework does require the use of some specific security technologies to be implemented across the following five distinct pillars, as described by CISA:
- Identity. About 80 percent of data breaches stem from weak, stolen or compromised passwords. In a zero-trust environment, identity and access management (IAM) and privileged access management (PAM) solutions verify user identities and enforce least-privilege access principles that limit users to only the data and systems they need for their jobs. Multifactor authentication, user provisioning and single sign-on are also essential for identity verification.
- Devices. Businesses today may support thousands of network-connected devices, but studies show few organizations have an accurate inventory of those devices. Poor visibility into the endpoint environment makes it difficult to verify device security. Organizations must develop a complete inventory of every device they own, support or authorize, and they should use asset management solutions to continually monitor and validate device security.
- Networks. Stealthy threats that get past the perimeter may remain undetected for weeks or months, moving laterally throughout the network harvesting credentials and stealing data. Network segmentation limits a threat’s ability to spread by dividing the network into smaller, isolated parts with their own security controls. Automated threat detection solutions provide additional protection by using machine learning and advanced analytics to actively hunt for threats and disrupt them in advance of an attack.
- Applications. All applications and workloads should be scanned, tested and patched regularly to remove vulnerabilities. They must also be authenticated based on user identity, location, data classification and other characteristics before being allowed to access data on a least-privilege basis. Security testing should also be integrated into the application development and deployment process.
- Data. Most organizations have data stored in a dozen or more official repositories as well as multiple informal repositories such as email, collaboration portals, messaging services and personal devices. Zero trust requires organizations to identify, categorize, secure, encrypt and manage all data, both at rest and in transit.
In an age of widely distributed computing environments, growing attack surfaces and increasingly sophisticated threats, a reactive security posture is no longer adequate. Instead of addressing individual threats as they pop up, organizations need a more proactive approach. A zero-trust architecture creates the framework necessary to detect and stop threats before they cause any damage.