If awards were given for “Security Phrase of the Year”, surely zero trust would win the top prizes for 2019. The term graced the headlines of countless cyber industry articles, blogs, case studies and PowerPoint presentations, all created by organizations hoping to harness the power of this construct. The excitement is understandable, because it sure seems like zero trust has the ability to fix what's broken with perimeter security.
Vanishing Perimeter Security
To get a clear view of why zero trust is the knight in shining armor for enterprises at risk of cyberattack, we need to understand why the old perimeter security model is no longer effective. It all started with the move to the cloud; before the cloud became “the way we work”, organizations could rely on firewalls and secure web gateways to prevent threats from making their way inside. Then once things were on the inside, they were considered safe, no matter what.
Then came the cloud.
Cloud-based workplaces are highly interconnected. A huge amount of data flows in and out, and a great deal of it simply bypasses older security methods. Moreover, the cloud enables resources to be accessible from every place at any given time, to multiple groups of users, including contractors, partners, and remote employees. And older access solutions don't offer the granular controls needed to provide tailored access to different individuals and user groups.
Zero Trust to Move Forward
This is why zero trust has become such a critical idea. It's the way that, going forward, we can achieve security in modern hyper-connected, cloud-based environments. A zero trust strategy is diametrically opposed to the old perimeter-based notion that what’s inside is good and what’s outside is suspicious. Instead, it stipulates that no one and nothing should be inherently trusted, even activity that originates within our own networks. Instead, it’s based on the “never trust, always verify” model that requires trust to be verified before access is granted.
But here’s the thing; zero trust isn't a technology in-and-of itself. There’s no one “zero trust” tool or technology—it’s a model, an approach, a mindset. And as such, solutions are needed to achieve it. The other important point about zero trust is that it should really be an overarching strategy that covers and protects all potential access points to your data. That being said, deploying the controls across an organization’s IT infrastructure to enforce zero trust security is a significant project, so prioritize some quick win areas in your overall program.
Zero Trust Priorities
There are two areas that are particularly important to remember when it comes to implementing an all-encompassing zero trust strategy. One is your browsers; You (should) know that browsers are one of the top cyberattack vectors. In fact, according to a recent Kaspersky study, 50% of threats enter organizations via web browsers. What’s a zero trust strategy if you're trusting the web, and the browsers that bring it into your business?
Remote Browser Isolation
To keep your browsers from being a risk-laden point of exposure, a Remote Browser Isolation (RBI) solution assumes that all web traffic is potentially dangerous, and none can be inherently trusted. With RBI, all web traffic is rendered in isolated containers that are disposed of at the end of the browsing session or after a predetermined idle period. All the user gets is a safe—yet totally interactive—representation of the content.
So regardless of whether your user reached the malicious site by choosing an infected link in an email or navigating directly to it, any malicious code therein cannot do any harm, no matter how advanced or stealthy it may be. And there’s no impact on user experience; your employees can continue to use the web as they prefer to, free of any threats or dangers.
Software Defined Perimeter
The second, yet sometimes missing link in the zero trust chain is application access. Today, the most common way to gain access to applications is via VPNs. Although they’ve been the way access has been provisioned for years, they weren’t designed with the needs of the modern cloud-based workplace in mind. VPNs don’t allow for granular control and first connect users to the exposed IP address of applications they are trying to access—and then they check whether they should be authorized for further access. This “access, then authenticate” model exposes organizations to attacks and breaches.
The Software Defined Perimeter (SDP) is a semi-new idea developed by the Cloud Security Alliance, with the intent of creating an access framework based on “authenticate-first, access-second” and “need-to-know” philosophies. It’s helping organizations vastly reduce exposure to attacks by granularly locking down application access.
SDP solutions create secure point-to-point application-level connections from all devices to any applications. They enable granular policy enforcement to ensure that only the right people and assets can access the exact right resources. With SDP, you can lower risk with granular access policies that allow organizations to control—down to the individual resource level—what communications are permitted between different access points on the network. This ensures that attackers are unable to enter your enterprise infrastructure in the cloud, on-prem or hybrid environments. More than that, it restricts their movement inside networks so that if there is a breach, they cannot get to critical assets.
Moreover, access provisioned via SDP is totally seamless and frictionless so there’s no change to your users. In this light, it’s not hard to see why SDPs are becoming the face of zero trust access.
Enabling Opportunities with Zero Trust
The modern working environment has created so many new opportunities for organizations to share data and drive innovation. But along with these new prospects comes new risk. A comprehensive zero trust strategy allows organizations to benefit from the opportunities while effectively addressing the gaps created.
By David Canellos