The Internet Age has changed so much of how we live and work. We have become accustomed to buying goods online with a few clicks and having them delivered overnight, and out work lives have become faster, more flexible, and more mobile. And yet, many businesses still adhere to the ancient “castle and moat” approach of securing their digital business and workforce. It’s high time to bring security architecture into the modern age, and zero trust is designed to enable exactly that.
The (pre-existing) trend toward a more distributed, mobile way of working has been supercharged by the global pandemic. Employees are seeking new approaches that optimize their work-life balance while giving businesses the flexibility required for agile workflows.
This shift comes with security challenges. Employees now frequently work outside the traditional security perimeter, use their own devices, as well as a growing number of cloud services instead of – or in addition to – traditional and centrally-managed devices and on-premises business applications. This heterogeneous environment makes it increasingly difficult to achieve the level of control required to keep business processes adequately secured.
A new security architecture is required. That’s why the zero-trust approach is so hotly debated these days. Zero trust doesn’t mean that businesses no longer trust their employees. Rather, that they cannot, and should not, have blind faith in the technological context from which employees are accessing sensitive resources.
After all, it is now a likely scenario that employees work with business applications and company data using their own devices and a potentially untrusted network connection like a Wi-Fi home network or public Wi-Fi hot spot. And that’s why a zero-trust environment is based on the following concept: “Never trust, always verify.”
To achieve this, modern security software, aided by artificial intelligence and continuous monitoring, constantly evaluates user (or rather: user account) and endpoint behavior for any indicators of unusual activity that might hint at a security compromise. Not all zero-trust environments are the same, though. In a startup that operates fully based on SaaS, it might be enough to apply the zero-trust concept to SaaS services and endpoint devices.
Most enterprise IT environments, however, are more complex than this: they tend to contain a wide variety of on-premises or even internally developed custom applications, along with legacy VPN technology and a wide array of desktop and mobile devices. Accordingly, the zero-trust approach needs to be carefully planned and adapted to the individual IT environment.
The first step toward a zero-trust environment consists of establishing a zero-trust network architecture that covers all aspects of users interacting with corporate internal and cloud-based IT resources, wherever the users or the resources might be located.
This requires an evaluation of the context of user access, combined with the creation of risk profiles. Based on these risk profiles and continuous context analysis, the security team can implement and enforce centralized security policies – independently from any old-fashioned network firewall perimeter.
Establishing context entails checking numerous aspects such as the IP address and geographic location, device status (corporate-owned, privately owned), OS status (jailbroken/rooted or secure), patch status, and so on, as well as verifying digital certificates for identity and access management.
The constant evaluation of all this data is then matched with predefined granular policies. For example, businesses might determine that employees can only access sensitive resources if the device is fully secured, and the user is identified via multi-factor authentication. Otherwise, a pop-up notification will inform the employee how to proceed, while the device might be put into quarantine until its desired state is achieved.
The benefit of the zero-trust approach lies in the fact that it strikes a perfect balance between security and usability: most of the time, employees won’t even notice that the zero-trust setup is continuously ensuring a high level of security. They will only notice security measures being applied when something extraordinary happens, be it by mistake or because an adversary has managed to compromise a user account.
Business has evolved from the medieval marketplace to just-in-time production, online ordering, and overnight delivery. Similarly, IT security architecture must adapt to today’s fast-evolving business world. Zero trust paves the way for working securely from anywhere while enabling a smooth employee experience. It’s high time to leave the ancient castle walls of IT security behind and switch to something designed from the ground up for the speed, agility, and user-friendliness of modern hybrid work.