Danna Bethlehem, director, product marketing, access management at Thales, tells Anita Joseph, editor, Reseller ME, why organisations should increasingly be looking at Zero–Trust as a holistic security approach that wants to save their enterprise.
The rapid acceleration of digital transformation and remote working brought on by Covid-19, together with the proliferation of disruptive technologies, have made traditional boundaries of corporate networks disappear. Businesses no longer have sole control over a closed network, as the pandemic has shifted people from offices into dispersed environments.
As a result, organisations have had to increase their reliance on cloud platforms. Many are combining different methods across public, private, hybrid cloud, and on-premises solutions. This has made multicloud, in one form or another, an increasingly essential part of everyday operations for many businesses.
These rapidly changing and fragile ecosystems represent a real security challenge for businesses, as threat actors look to expose the vulnerabilities of distributed workforces operating in remote environments. Legacy security policies and practices based on trust have now been rendered obsolete. Organisations should increasingly be looking at adopting a Zero Trust approach to their security operations.
Nothing is trustworthy
Now more than ever, the ability to access data from any location and on any device is a top priority for enterprises. However, using a traditional castle-and-moat security concept, people are unidentifiable and trusted once inside corporate networks – with the power to access sensitive data. Too many networks and applications currently run on an “assumed trust” system, which can be taken advantage of by hackers with disastrous consequences.
A Zero Trust model is based on the tenet “Never Trust, Always Verify” and views trust as a vulnerability – any user or device looking to access confidential data cannot and should not be trusted by default. Zero Trust is not a specific technology, rather a strategic, initiative-based security system that requires strict and continuous identity verification and control of data in the cloud to minimise trust zones.
With more companies now making the move to the cloud alongside the shift to homeworking, organisations are going to be exposed to new threats that go beyond their current or previous security strategies. Zero Trust helps businesses to maintain a high level of security remotely, without the need for a physical location to authenticate access. Allowing organisations to grow securely in the cloud and adapt to the remote and dispersed environments in which we now operate.
This precedent also goes beyond individual organisations; the impacts can be felt far wider. Recent high profile cyber-attacks, such as the Colonial Pipeline cyber-attack, have reaffirmed the lack of resilience to security threats many industries still face. This incident was a strong reminder of the potential benefits of Zero Trust in mitigating the effects of ransomware, as the entry point was a legacy VPN. With Zero Trust it might have been possible to stop the attackers navigating inside the network, whereas with a VPN once attackers are ‘through the door’ they’re already in a very strong position.
Zero Trust, multiple barriers
Accomplishing the principle surrounding Zero Trust is not without its challenges. Businesses will have to evolve their previously established perimeter security policies into location-agnostic ones. A
significant challenge to achieving Zero Trust is finding solutions that cover identities and data end-to-end. SafeNet Trusted Access, Thales’s cloud-based access management and authentication service, is a strong starting point for effective Zero Trust security implementation. Enforcing access decisions dynamically at the application access point, irrespective of where the user resides and the device they are using.
Another core barrier businesses face when starting their Zero Trust journey, is the balance between locking down access without interrupting workflow. People require access to sensitive data in order to work and collaborate and businesses leaders will need to ensure that a drop in productivity doesn’t become an unwanted side effect. To combat this, organisations need to by start identifying the most sensitive data and critical touchpoints. Those can be subjected to stricter access controls, such as multifactor authentication, without widespread disruption.
However, the biggest challenges for businesses is understanding that achieving Zero Trust is an ongoing journey that has multiple steps. Though there are some foundational technology capabilities that are a must, organisations tend to equate Zero Trust to implementing a single capability. There is no ‘silver-bullet’ when it comes to achieving a Zero Trust security model. Individual enterprises will need to adapt their strategies based on their specific businesses needs and constraints. Choosing the appropriate strategies and technologies that match the specific needs of their business.
An ongoing collaboration
Businesses are navigating a volatile and complex world and adopting a Zero Trust model of cybersecurity will enable them to continue to conduct operations safely amidst the uncertainty. However, it must be understood that a Zero Trust model is only achieved through shared understanding and a collaborative approach at every level of business.
As home working will likely remain the dominant method for most business in the foreseeable future, the Zero Trust model must be established as a company mindset and not just a framework. This includes sparking conversation with employees about the purposes and benefits of this security concept and providing leadership support. Business leaders and decision makers must specifically outline priorities and set measurable goals related to the Zero Trust model, in order to achieve success.