The use of cloud applications and cloud-based storage have become so popular that organizations are being compelled to re-define and update their security and access strategy to protect their globally distributed digital assets from cyber attacks. The financial impact of a data breach can run into the billions, and irreversible long-term damage of such breaches has got folks up at night.
Two main factors define today’s security challenges:
- There’s widespread recognition that in a post-walled-garden world, perimeter defenses (like Firewalls and VPNs) are insufficient.
- Network access, as we know, can be utilized for various means, and the traditional “trust but verify” philosophy is no longer applicable.
Unsurprisingly in 2018, many organizations have finally started to seriously evaluate John Kindervag’s Zero Trust security model. The approach eliminates the idea of a trusted network and acknowledges that organizations can no longer automatically trust users inside the perimeter vs. the untrustworthy users outside of it; it calls for every communications request to be evaluated fully before being approved.
Zero Trust evangelist, Dr. Chase Cunningham claims that, at a minimum, companies need to implement “granular controls, managed access, protecting the data that matters, leveraging encryption, and having a means to do something within the infrastructure as-needed.”
2018 is the year enterprises ultimately accepted the death of the perimeter -- and are looking to Zero Trust as the right way to protect corporate resources.
This is why Zero Trust is the trend of the year
Pretty much everyone is talking about it.
Technology providers from every vertical saw the writing on the wall, developing solutions for every aspect of the architecture. And no surprises on this one – they’re all talking about why their solution is critical to Zero Trust:
- Identity providers (IdP) are talking about Zero Trust because they understand that identity, roles, and defining attributes are at the foundation for Zero Trust defining who has access to which resources.
- Multi-factor authentication vendors are talking about Zero Trust because they know that strong identity management and verification of identity are the foundation of Zero Trust – and that they are far more secure than traditional logins for ensuring that users are who they say they are.
- Access vendors are adopting Zero Trust because they believe that this is the only means to providing secure access to corporate resources.
- Endpoint security vendors are also talking about Zero Trust. They understand the importance of maintaining a sound security posture with the increasing number of devices connecting to the company’s network resources. Corporate resources won’t be protected if an authenticated and authorized user connects to your network with a laptop or smartphone infected with malware.
- Mobile vendors are embracing Zero Trust in order to secure devices as the workforce becomes increasingly remote and adoption of BYOD soars.
Organizations are putting Zero Trust on the agenda.
Only a year ago, mentioning the term “Zero Trust” would often result in blank expressions. Few had heard about it and most weren’t particularly interested in learning more. C-level executives believed that the way to protect modern hybrid networks is not that different from protecting the traditional 15-years old networks. After all, they had Firewalls, VPNs, Intrusion Prevention Systems and Anti-malware solutions – what more did they possibly need?
But over time security teams sat up and paid attention with many now acknowledging that Zero Trust is the most effective way to protect access to corporate resources. Many are fully on board, and either have already started implementing it or are putting it on their next year’s agenda.
They are looking back at what John Kindervag proposed saying that “...trust is the root cause of all data breaches and most other negative cybersecurity events; we don’t need trust in digital systems when the only beneficiaries of it are attackers.”
Bottom line: more and more organizations realize that the old paradigms are just not working when it comes to protecting an evolving organizational IT infrastructure.
Analysts are on board promoting Zero Trust too.
We also can’t discount the role of industry analysts; the industry is finally catching up to what they are saying.
For example, analysts at @Gartner_ic (who promote CARTA), as well as industry experts like Chase Cunningham (@CynjaChaseC) (who published the Zero Trust eXtended (ZTX) @Forrester research report) all have had a huge impact.
And it is not just the big players game. Boutique analysis and advisory firms, like @451Research, are also promoting Zero Trust: “There are potentially many moving parts to a full zero-trust implementation, but one main benefit is to provide access to applications (and other resources) without exposing them to the public internet, which in turn should help greatly reduce an organization's attack surface.”
Jumping on the Zero Trust Train
The proliferation of cloud-based computing means that Zero Trust is the most viable option. Its “trust no one” philosophy – verifying every user and every device on every access attempt – significantly reduces the risk of a data breach. All companies that are serious about tackling modern cybersecurity challenges should consider adopting a Zero Trust approach.
If you haven’t learned about Zero Trust, looked into CARTA, read the ZTX report, or even evaluated the cybersecurity solutions on the market today in the context of Zero Trust, then you are seriously behind the curve.
As 2018 comes to an end, do you have a strong handle on your organization’s cybersecurity posture? Are your distributed systems, applications, and data protected enough to prevent catastrophic data breaches? What tactics will you use to protect your company’s digital assets in a global environment?
Whatever you decide, you shouldn’t be making your 2019 New Year’s plans without Zero Trust in mind.