A zero-trust security architecture, which makes the assumption that every user is hostile, is a move to minimize a potential attacker’s playing field.
In a world where trust is everything, it’s counterintuitive to think of ‘zero trust’ as a good thing – especially when it comes to your employees and long-time vendors.
But all it takes is one person. And more often than not, executives are the primary target. A ping in the inbox reveals an innocent email that requests your immediate response. Perhaps you even recognize the name of the sender? During a hectic day of meetings, it’s a mistake that anyone could make.
Gartner calculates that the number of insider incidents in corporations today has increased by 44.3% between 2020 and 2021. The risks stem from either intentional bad actors in the organization or through simple negligence. New research from Ponemon Institute calls this “the rise of the super malicious insider”. This is costing companies big time, reportedly up to $15.38 million annually in damages.
Nothing is trusted
“In a zero trust security environment, the assumption is that everything and anything can be compromised. Nothing is trusted, ever, at any time. From there, the rest of the principals of zero trust follow. We authenticate all users and sources, deny all activity by default, and only allow activity – of any kind – by explicit policy. We do not assume that identity or permissions are static, even minute to minute. After all, attacks are constantly adapting, so our defense must match that,” says Joel Bilheimer, Chief Information Security Officer, Pexip Americas.
Imagine if you will the typical corporate office. Your key card is what enables you to enter the building. If we were to apply a zero trust approach to this scenario, that key card is required not only to enter the building, but to enter every zone and workspace, thus ensuring that you are who you are and you are roaming only where allowed. Now let’s extend our thinking into our IT systems. Zero-trust architecture does the same thing by restricting everyone’s access to ensure you are who you are, and you roam only where allowed.
Zero-trust architecture creates rules to help prevent breaches from within
Most companies today spend most of their time (and budgets) on protecting themselves from cyber threats coming from the outside. We invest in powerful firewalls to secure our perimeter and neglect the idea that fractures to that perimeter can come from within the organization.
Zero trust is the antidote to that thinking – a way of implementing a series of rules for each network device to obey. This is often implemented in through application programming interfaces (APIs), which enables the organization to draw up its own set of rules. These rules must take into account not only the employees but also all the vendors who have access to a company’s data.
“In a typical zero-trust environment, users must sign into the company’s identity provider through some kind of multi-factor authentication method. Once authenticated, organizational policy then explicitly authorizes users’ access only to the data that is crucial for their work. User sessions are monitored for
suspicious or malicious activity – keeping in mind that the users themselves may be the source of such activity. And when detected, the threat response deploys in real-time,” explains Bilheimer.
Zero trust isn’t risk-proof, but it is risk-reducing
In a Gartner report on “How to Build a Zero-Trust Architecture”, the research giant is quick to point out that simply applying zero trust does not make “risk magically disappear.” Rather it’s a way of replacing “blind trust” of everyone to “calculated adaptive trust” instead. With each access granted, a risk associated with that access is calculated. In zero-trust architecture, if the risk is calculated to be less than the value of granting the access, access is granted.
“One of the most important steps to ensure success when implementing a zero-trust architecture is to first define your strategy, process and tools before implementation begins. Companies should also turn to their vendors, evaluating them when it comes to their zero trust capabilities,” adds Bilheimer.
Most organizations will embrace zero trust within the next few years
Gartner predicts that more than 60% of organizations will embrace zero-trust as a “starting place for security by 2025.” Bilheimer agrees, asserting that a security strategy based on protecting the organizational perimeter is an outdated way of protecting the company’s critical data. Cyber-attacks are growing more sophisticated all the time, making it essential to shift the thinking to the data itself by focusing on creating boundaries for where that data travels and who has access to it, at any given time.
“Zero trust is not a buzzword anymore, and it’s not just a strategy for obscure government environments,” says Bilheimer. “The fact is that commercial organizations are leading the charge on zero-trust research and implementation. And if you aren’t planning a zero-trust strategy across your entire supply chain today, you’re likely already at a disadvantage.”
- Meet & collaborate securely
- Secure meetings
- Secure collaboration
- Business continuity