As a product manager, I frequently have the opportunity to talk about pressing cybersecurity needs with infosec leaders from around the world. And they all want to hear about zero trust security. This interest — and even demand — is increasing, so I’ve had ample opportunity to explain why a zero trust approach is the right cybersecurity solution now and for the foreseeable future.
Here are the top 10 reasons that security professionals must implement a zero trust strategy to improve their security postures.
The Top 10 Reasons to Implement a Zero Trust Strategy
1. The Evolving Enterprise
The way enterprises are conducting business and using digital technologies is evolving constantly — and at an ever-quickening pace. These digital transformations are making traditional perimeter-based cybersecurity models ineffective and irrelevant because perimeters no longer define the scope of security enforcement. Only zero trust security takes a micro-level approach to authenticating and approving access requests at every point within a network. The concept of least privilege means that nobody gets carte blanche access to the entire system. Instead, each request must be continuously monitored and verified to gain access to different parts of the network. If a breach does occur, micro-segmentation will prevent East-West movement and minimize the damage that could be caused by a threat actor.
2. Cloud Data Centers
As critical applications and workloads move from corporate-owned data centers to the public cloud, these changes call into question all the legacy assumptions of trust around people and data center security tools, technologies, processes, and skills. This new cloud environment requires a shared responsibility model, where certain security aspects are provided by the cloud vendor and others fall on the enterprise. The underlying assumption of trust in the infrastructure is no longer the same, but a zero trust approach can span this shared cybersecurity responsibility. In the zero trust approach, security controls are deployed with the assumption that the network is already compromised.
3. Third-Party SaaS and PaaS Applications
Applications now are more likely to be offered as Software-as-a-Service (SaaS) or even Platform-as-a-Service (PaaS). Software OEMs develop applications by consuming readily available services — for authentication, logging, database, machine learning, and so forth. They own the core logic and business logic, but have little ownership of the software components used to build the applications. That means application developers can no longer have blind trust in their “own” applications.
4. The Internet Network
Applications and workloads have moved to the cloud, and users access them remotely. This means that the network is no longer a secured enterprise network, but rather is the very unsecured Internet. The network perimeter security and visibility solutions employed by most businesses to keep attackers out are no longer practical or robust enough. The concept of implicit trust should no longer exist. Zero trust employs least-privilege and “always-verify” principles, offering complete visibility within the network, whether in data centers or the cloud.
5. The Expanding Workforce
The way enterprises conduct their critical business and the people they rely on to perform key functions have changed. Network users are no longer just employees and customers. Many users who access a business’s applications and infrastructure may not be employees; they could be vendors servicing a system, suppliers, or partners. None of these non-employees need, nor should have, access to all applications, infrastructure, or business data. Even employees perform specialized functions and therefore do not need complete network access. A well-executed zero trust strategy allows authenticated access based on key dimensions of trust. This enables businesses to more precisely control access, even to those with elevated privileges.
6. The New Normal of Work from Home
In the pre-COVID era, remote work was not uncommon. However, now that WFH has become the new normal during the pandemic, security technologies and processes based purely on established geographic locations — such as a company’s headquarters — are no longer relevant. With a remote workforce, the possibility of unsecured Wi-Fi networks and devices increases security risks exponentially. Businesses must assume their employees’ work-from-home setups and environments are not as secure as the office. Their PlayStation and Xbox may not be patched with the latest updates. Their Wi-Fi router isn’t configured for WPA-2. Their IoT devices, like the baby monitor or the smart thermostat, are running a hodge-podge of security protocols, if any at all. Without an overarching system like a zero trust framework, whether employees are working in a secure environment can no longer be verified — or controlled.
7. The Shift from Work Devices to BYOD
Under the WFH new normal, the devices that workers use are less likely to be ones assigned by their employer. Employer-owned laptops and phones are traditionally managed, patched, or kept up to date with security tools and policies. However, with everyone working remotely, employees may forget basic cyber hygiene skills and start to use their own devices to access work networks or apps. Or, they could be using their work laptops to shop online between Zoom calls. Even if zero trust security can’t force employees working at home to use work devices only for work, it can control the potential for a security breach because of the fundamental “trust nobody; verify everything” rule that enforces access controls at every point within the network.
8. The Ubiquity of Cyberattacks
Cyberattacks continue to proliferate every year, and no sector seems to be immune. During COVID-19, hackers have focused on the healthcare and retail verticals for pandemic-related reasons. Over-burdened hospitals struggling with an onslaught of patients and pharmaceutical research labs racing to develop a vaccine have been ideal targets for cyberattacks because the stakes are so high and they are willing to pay vast ransoms to ensure business continuity. Cybercriminals have targeted online retailers benefiting from increased e-commerce demands during shelter-in-place. They’ve also attacked financial institutions and even transportation service providers. With zero trust architecture in place, these businesses could build a better security posture and be cyber resilient, making them less vulnerable to initial security breaches as well as enabling them to contain and mitigate financial or reputational damage to a large degree.
9. The Evolution of Targeted Advanced Persistent Threats (APTs)
In the early 2000s, cybercriminals would launch cyberattacks simply to expose the security vulnerabilities of well-known websites. But today cyberattacks are big business. The potential financial gains from deploying ransomware or stealing intellectual property are high. In order to maximize their earnings, hackers and the tools and tactics they use are becoming more advanced. Today’s cyberthreats are no longer simple phishing scams, although those still exist. Cybercrime is now a highly organized crime, perpetrated by nation states, sophisticated international crime rings, and ransomware groups. These bad actors are advanced enough to easily bypass traditional perimeter security, deploy APTs, and stealthily move about until they accomplish their goal of stealing information or disrupting systems that have not implemented micro-segmentation or a zero trust model. These contemporary cyberattacks could have national, societal, physical, and financial repercussions.
10. Higher Security Stakes
Instead of deploying DDoS attacks to disrupt businesses, cybercriminals are starting to play an almost elegant long game. Cyberattacks have evolved to target user data, customer data, financial data, and core business knowledge, such as IP and proprietary functions — essentially anything that could be valuable. Core government systems, weapons, nuclear power plants, and even elections are at risk. Because the stakes are so high, at every level of society and government, robust and resilient cybersecurity strategies are of paramount importance. Whether implemented by a multinational enterprise or a government agency, the zero trust framework will improve cybersecurity posture and increase cyber resilience, enabling containment in the unlikely event of a breach.
Zero Trust: Concluding Remarks
The future of cybersecurity is here, right now. And it is the zero trust security model. The perimeter-based, reactive methods that are the foundation of old, traditional security need to become relics of the past. Businesses and governments must be proactive and adopt zero trust now in order to confidently provide a cyber secure future to their customers, partners, employees, and citizens. The world is transforming at a pace where security gaps could be catastrophic. It’s time to make security a priority to protect, detect, and mitigate modern-day threats. Only a new-gen zero trust security framework offers network visibility and constant monitoring that allows trust to be dynamic and context-based, by verifying every access request and authorizing access only if certain parameters are met.
About the Author: Satyam Tyagi is the Senior Director of Product Management at ColorTokens. He is an industry thought leader in security and networking, responsible for significant advances in endpoint, mobile, and application security. He has been awarded four patents in application security and networking, including products sold by Cisco and Avaya.