As a product manager, I frequently talk about pressing cybersecurity needs with infosec leaders from around the world. And they all want to hear about zero trust security. This interest — and demand — is increasing. I’ve often explained why a zero trust architecture is the right cybersecurity solution for enterprise security now and in the foreseeable future.
Here are the top 10 reasons why security leaders must implement zero trust strategy to improve the security postures of their organizations.
The Top 10 Reasons to Implement a Zero Trust Strategy
- Perimeter-Based Security is Ineffective in the Evolving Enterprise
- Cloud Data Centers Require Shared Security Responsibility
- Third-Party SaaS and PaaS Applications Can’t Be Trusted Blindly
- The Internet Network is an Unsecured Network
- Everyone in the Expanding Workforce Shouldn’t Have All-Access
- You Cannot Verify the Security Status of All WFH Environments
- BYOD is Not as Secure as Work Devices
- Cyberattacks Are Increasing
- Advanced Persistent Threats (APTs) Are Becoming More Sophisticated
- The Security Stakes Are Higher
1. Perimeter-Based Security is Ineffective in the Evolving Enterprise
The way enterprises conduct business and use digital technologies is evolving constantly — and at an ever-quickening pace. These digital transformations are making traditional perimeter-based cybersecurity models ineffective and irrelevant because perimeters no longer define the scope of security enforcement.
Only zero trust security takes a micro-level approach to authenticating and approving access requests at every point within a network. The concept of least privilege means that nobody gets unrestricted access to the entire system. Instead, each request needs to be continuously monitored and verified to gain access to different parts of the network. If a breach does occur, micro-segmentation will prevent East-West movement and minimize the damage that could be caused by a threat actor.
2. Cloud Data Centers Require Shared Security Responsibility
Critical applications and workloads are moving from corporate-owned data centers to the public or hybrid cloud. Now, security leaders need to reconsider the legacy assumptions of trust around people and data center security tools, technologies, processes, and skills.
This new cloud environment requires a shared responsibility model, where certain security aspects are provided by the cloud vendor and others fall on the enterprise. The underlying assumption of trust in the infrastructure is no longer the same. A zero trust model can span this shared cybersecurity responsibility.
3. Third-Party SaaS and PaaS Applications Can’t Be Trusted Blindly
Applications now are more likely to be offered as Software-as-a-Service (SaaS) or even Platform-as-a-Service (PaaS). Software OEMs develop applications by consuming readily available services — for authentication, logging, database, machine learning, etc. They own the core logic and business logic, but have little ownership of the software components used to build the applications. That means application developers can no longer blindly trust their “own” applications.
In the zero trust approach, security controls are deployed with the assumption that the network is already compromised. No unauthorized processes or applications are allowed to execute and authentication is required for access to data.
4. The Internet Network is an Unsecured Network
Applications and workloads have moved to the cloud, and users access them remotely. This means that the network is no longer a secured enterprise network. Instead, it is unsecured Internet. The network perimeter security and visibility solutions employed by most businesses to keep attackers out are no longer practical or robust enough. The concept of implicit trust is no longer effective.
Zero trust employs least-privilege and “always-verify” principles, offering complete visibility within the network, whether in data centers or the cloud.
5. Everyone in the Expanding Workforce Shouldn’t Have All-Access
The way enterprises conduct their critical business and the people they rely on to perform key functions have changed. Network users are no longer just employees and customers. Many users who access a business’s applications and infrastructure could be vendors servicing a system, suppliers, or partners.
None of these non-employees need, or should have, access to all applications, infrastructure, or business data. Even employees perform specialized functions and therefore do not need complete network access. A well-executed zero trust strategy allows authenticated access based on key dimensions of trust. This enables businesses to more precisely control access, even to those with elevated privileges.
6. You Cannot Verify the Security Status of All WFH Environments
In the pre-COVID era, remote work was not uncommon. However, now that WFH has become the new normal after the pandemic, security technologies and processes based purely on established geographic locations — such as a company’s headquarters — are no longer relevant. With a remote workforce, the possibility of unsecured Wi-Fi networks and devices increases security risks exponentially.
Businesses must assume their employees’ work-from-home setups and environments are not as secure as the office. Their Wi-Fi router isn’t configured for WPA-2. Their IoT devices, like the baby monitor or the smart thermostat, are running a hodge-podge of security protocols, if any at all. Without an overarching system like a zero trust framework, whether or not employees are working in a secure environment can no longer be verified — or controlled.
7. BYOD is Not as Secure as Work Devices
Under the WFH new normal, the devices that workers use are less likely to be ones assigned by the employer. Employer-owned laptops and phones are traditionally managed, patched, and kept up to date with security tools and policies. However, with everyone working remotely, employees may forget the basic cyber hygiene skills and start to use their own devices to access work networks or apps. Or, they could be using their work laptops to shop online between Zoom calls.
Even if zero trust security can’t force employees working at home to use work devices only for work, it can control the potential for a security breach because of the fundamental “trust nobody; verify everything” rule that enforces access controls at every point within the network.
8. Cyberattacks Are Increasing
Cyberattacks continue to proliferate every year, and no sector seems to be immune. During COVID-19, hackers focused on the healthcare and retail verticals for pandemic-related reasons. Over-burdened hospitals struggling with an onslaught of patients and pharmaceutical research labs racing to develop a vaccine have been ideal targets for cyberattacks. The stakes are so high that they are willing to pay vast ransoms to ensure business continuity. Cybercriminals have targeted online retailers benefiting from increased e-commerce demands during shelter-in-place. They’ve also attacked financial institutions and even transportation service providers.
With zero trust architecture in place, these businesses could build a better security posture and become cyber resilient. Then they will be less vulnerable to security breaches and would be better equipped to contain and mitigate financial or reputational damage.
9. Advanced Persistent Threats (APTs) Are Becoming More Sophisticated
In the early 2000s, cybercriminals would launch cyberattacks simply to expose the security vulnerabilities of well-known websites. But today cyberattacks are big business. The potential financial gains from deploying ransomware or stealing intellectual property are high. To maximize their earnings, hackers and the tools and tactics they use are becoming more advanced. Today’s cyberthreats are no longer simple phishing scams, although those still exist. These contemporary cyberattacks could have national, societal, physical, and financial repercussions.
Cybercrime is now highly organized and is perpetrated by nation-states, international crime rings, and ransomware groups. These bad actors are sophisticated enough to easily bypass traditional perimeter security. They deploy APTs and stealthily move about until they accomplish their goal of stealing information or disrupting systems that have not implemented micro-segmentation or a zero trust model.
10. The Security Stakes Are Higher
Instead of deploying DDoS attacks to disrupt businesses, cybercriminals are starting to play an almost elegant long game. Cyberattacks have evolved to target user data, customer data, financial data, and core business knowledge, such as IP and proprietary functions — essentially anything that could be valuable. Core government systems, weapons, nuclear power plants, and even elections are at risk. Because the stakes are so high, at every level of society and government, robust and resilient cybersecurity strategies are of paramount importance.
Whether implemented by a multinational enterprise or a government agency, the zero trust framework will improve cybersecurity posture and increase cyber resilience, enabling containment in the unlikely event of a breach.
Zero Trust: The Solution to Enterprise Security Challenges
The future of cybersecurity is here, right now. And it is the zero trust security model. The perimeter-based, reactive methods that acted as the foundation of old, traditional security need to become relics of the past. Businesses and governments must be proactive and adopt zero trust now to confidently provide a cyber-secure future to their customers, partners, employees, and citizens.
It’s time to make security a priority to protect, detect, and mitigate modern-day threats. Only this new-gen zero trust security framework offers network visibility and constant monitoring that allows trust to be dynamic and context-based, by verifying every access request and authorizing access only if certain parameters are met.
The ColorTokens Xtended ZeroTrustTM Platform is a cloud-delivered, software-defined platform that secures critical assets, including applications, endpoints, and workloads. The platform both simplifies and accelerates the enterprise journey to hybrid environments and full cloud adoption. Read more about it here.
About the Author: Satyam Tyagi is the Senior Director of Product Management at ColorTokens. He is an industry thought leader in security and networking, and is responsible for significant advances in endpoint, mobile, and application security. He has been awarded four patents in application security and networking, including products sold by Cisco and Avaya.