Zero Trust is a key principle in the increasingly boundary-less business world, as opening up the corporate network and IT estate has profound security implications.
E-commerce has been growing steadily for years and is expected to reach 18.1% of retail sales worldwide this year, and 22% by 2023. Even more significant, businesses have been moving themselves online steadily.
Spending is predicted to rise to $1.78 trillion in 2022 and $2.3 trillion in 2023. COVID-19 has speeded up this tempo of change a great deal for 68% of companies, and somewhat for 29%.
This move online has created a whole new set of vulnerabilities that CIOs and CISOs need to come to grips with, and fast. Of particular note is the move to remote working. While it seems likely that initial predictions about remote working becoming the norm were a tad overblown, there are nevertheless clear indications that remote or anywhere / anytime working will remain a prominent feature of a new hybrid work style where possible.
Hybrid is something of a recurring theme of this brave new world because it also describes the IT environment that’s emerging.
The traditional model of the heavily-protected corporate network was already breaking down in the wake of the bring your own device revolution, which saw the wholesale adoption of mobile devices to perform work tasks independent of location or office hours, and a massive shift to mobile apps and, more recently, the cloud.
Now, with whole offices and even call centres in essence migrating into a fragmented “structure” of home offices, that model has truly changed.
This fragmentation or opening up the corporate network and IT estate has profound security implications. Cyber security has been a growing challenge for CIOs and CISOs, the exco more generally and the board − crisis is not too strong a word.
Already largely at the mercy of fearsomely well-resourced and motivated crime syndicates, organisations now find themselves even more vulnerable as their “attack surface” has expanded exponentially.
What it all boils down to is that identity management of unprecedented sophistication is required.
Alongside the well-publicised surge in ransomware attacks, there has been a significant shift towards targeting individuals via various forms of phishing. A particular focus of these attacks is an individual’s credentials, which are then used to access the network where, often over months, the hacker can surreptitiously reconnoitre the IT estate and locate the crown jewels.
Identity is the new perimeter
In other words, the perimeter of the new distributed organisation that must be defended is essentially the identity of each user. It is a significant challenge for those in charge of security − not least because the whole point is that corporate systems must be available to employees from anywhere at any time, but also increasingly to business partners and customers.
What it all boils down to is that identity management of unprecedented sophistication is required to ensure all the identities of users are rigorously authenticated on an ongoing basis, but without negatively affecting the user experience.
A tall order, that’s for sure. To achieve it, the Zero Trust model is increasingly gaining traction. The term was originally coined by Forrester Research and basically requires that the right people have the right level of access to the resources they need to do their legitimate tasks, and that their access rights are continuously assessed and confirmed. Zero Trust also requires this to be achieved without unnecessarily complicating things for the user community.
Thus, at the core of the Zero Trust model is the management of identity. To do so, IT departments need granular visibility of, and control over, who needs access to which resources, and how that access changes over the user lifecycle.
Here are the most important and salient characteristics of Zero Trust:
- Designed with the cloud in mind, and can cope with the complexity of a hybrid IT environment that spans the public and private clouds, as well as on-premises IT assets and a shifting population of users who could literally be anywhere.
- Provides special protection for “privileged accounts” that offer the keys to the kingdom and are thus particular targets for cyber criminals.
- Protects against insider threats as well as those from third-parties. Research shows that insider threats have grown by 47% since 2018, while 61% of US companies have experienced a third-party breach. It follows the least-privilege principle to give each user, insider or outsider, access to only the information they need when it’s needed.
- Continuously verifies identities to ensure access isn’t possible unless it’s explicitly granted, and that any access that is granted is always monitored.
- Goes beyond controlling access to recognise patterns, making it able to distinguish real threats from noise, resulting in faster detection and fewer false alarms.
Zero Trust requires the IT department to have complete visibility and control, allowing it to view and manage the organisation’s risk profile from one central location, with changes automatically synchronised and enforced.
In the second article on this topic, I will look at the practicalities of a Zero Trust model, with particular emphasis on user / customer experience.