Zero Trust is now a well-known, but often misunderstood, cybersecurity approach to defend against identity-based intrusions. The thinking behind the approach is that threat actors will inevitably make their way into an organisation’s environment, and therefore, defences must be built with that idea in mind.
It’s worth noting that despite what some might believe, Zero Trust is not one product or platform. It is a security framework built around the concept of “never trust, always verify” and “assuming breach.” There is no single security solution, platform, or widget which automatically delivers on the promise of Zero Trust. These solutions, platforms and widgets all come together to enable Zero Trust; they are not Zero Trust itself.
Events over the past 12 months have significantly – and permanently – changed the way we work. As businesses moved rapidly to accelerate their digital transformation, and deploy remote work programs to “keep the lights on”, security considerations sometimes took a backseat.
A new report underlines the seriousness of this situation. The Veritas Hidden Threat of Business Collaboration Report, surveyed 12,500 office workers across ten countries. The findings revealed that employees are exposing companies to risk by taking data out of the control of businesses that employ them. In the homeworking / hybrid environment we now find ourselves, this was always going to be an inevitability.
The net result today for many organisations is that their endpoint and IoT devices have become at serious risk from malware, insecure network access and our old and regularly-deployed friend, compromised credentials. The 2020 Zero Trust Endpoint and IoT Security report from Pulse Secure explored how enterprises are advancing Zero Trust endpoint and IoT security capabilities within their individual organization. It found that 72% of organisations experienced an increase to significant increase in endpoint and IoT security due to workforce mobility and remote workplace flexibility.
The key tenets of a Zero Trust strategy are:
- Validation – of users and their devices’ security posture
- Control – of access through granular policy enforcement
- Protecting and encrypting data transactions
Endpoint & Network Security Combined
As security technologies have advanced, the volume of data to secure has grown immensely. In today’s highly mobile world, data moves with endpoints making them attractive targets for cyberattacks. As a result, security policy must move with users and data and should not be tied to a particular location. In addition these policies must be constantly reviewed and adjusted to align with the continual (and growing) addition of all the unmanaged devices coming onto an organisation’s network.
Just as endpoint security products secure and collect data on the activity that occurs on endpoints, network security products do the same for networks. To effectively combat advanced threats, both need to work together. An integrated approach that combines endpoint and network security is the only way to achieve end-to-end protection across your entire security architecture.
Addressing IoT Devices
The exponential growth of the Internet of Things has added another dimension to an organisation’s ability to protect against a cyber attack. The Pulse Secure recent study also showed that 56% of IT teams surveyed believed that there is a moderate to extreme likelihood that their firm would be compromised by a successful attack that originated from the endpoint or IoT device. The fact is that these connected devices are different from laptops, servers or traditional IP-based machines. They aren’t necessarily ‘owned’ by IT. They usually use different types of services and they communicate differently on the network. These attributes come together to create a perfect storm of potential cyber abuse. What’s needed with the growing number of connected things is the ability to lock down those systems against both intentional and unintentional threats.
Let’s Not Forget The UX
Historically the user experience has often played second fiddle to IT security. It doesn’t have to be this way. The Zero Trust approach means it is possible to enforce policy compliance by employees, guests and contractors regardless of location, device type, or device ownership. Users enjoy greater productivity and the freedom to work anywhere without sacrificing access to authorised network resources and applications. IT can mitigate malware, data loss and IoT risks. And IT is empowered to optimise their resources and enable digital transformation across the enterprise.
The stark reality for all organisations today is that being targeted by cyber criminals is almost inevitable. No organization is immune. In today’s perimeterless, remote world, the key to mitigating risk of a cyber attack is to reduce the threat surface as far as possible, and ensure visibility and awareness of when, where, and how devices are connecting. The golden rule in security is that all users should only be given the minimal amount of or least privileged access required for them to do their job function. That’s Zero Trust.