As cybersecurity professionals, we admit it: zero trust has become the industry’s biggest buzzword. Some argue it’s a principle, others argue it’s a framework, others still that it’s mostly an architecture. The truth – which I hope we can all agree on – is that zero-trust access is a relatively new, far more secure, far more efficient, and far more effective way of connecting users to the data they need to do their jobs.
However, the explosion of zero-trust products—some true and some professed— isn’t good for our customers. According to a conversation I have had with a senior analyst at a leading technology research and consulting firm, many cybersecurity solution vendors have rebranded their existing solutions as zero-trust. As a result, customers find it challenging to distinguish true zero-trust architectures in their procurement process.
The question is, how can we help decision makers sort the wheat from the chaff?
Fortunately, there is an answer within reach: zero trust makes enterprise communications effectively network-agnostic. With the ability for true zero-trust access to securely connect users to data no matter which network connection the user chooses, enterprises have newfound freedom and flexibility when designing their information technology and security infrastructure and ecosystem.
Imagine a world in which the software, hardware, and cloud technology ecosystem starts to absorb and bundle zero-trust access components directly into specific applications, devices, and workloads that enterprises purchase to support modern digital transformation. The possibility will make the customer’s procurement paths around zero trust much more reliable and comfortable. Let’s explore this more below.
First, it’s critical to understand some of the core components of a true zero-trust access architecture (ZTNA):
- Users connect to applications and devices, not to a network
- The network—5G, home Wi-Fi, or corporate network—is a transport mechanism
- Policies set in a cloud-delivered, multi-tenant exchange to allow access should take into consideration context like user, device, location, and risk, instead of ports and protocols
- A true zero-trust connection hides applications from the internet, reducing the attack surface
- A true zero-trust connection establishes a one-to-one connection between user and application or device, spun up on demand, preventing an attacker from landing on an endpoint and moving laterally unfettered about the network until they land on a crown jewel and execute their attack
Next, let’s review three key places to integrate and even embed or bundle zero-trust access architectural components.
1. Applications. Today, applications, identities, and access methods are procured separately. Enterprises procure SaaS apps, hosted apps, or on-premises apps, and then purchase identity, authentication, and zero-trust connectivity products separately to give users anywhere secure access to those apps through a zero-trust connection across a multitenant, cloud-based exchange.
But what if these procurement paths weren’t separated – what if the zero-trust connector component was bundled with the application? Think of how transformative this could be for customers: secure zero-trust access would already be part of the app. After all, Gartner says that by end of 2022, 80 percent of new business applications opened to ecosystem partners will be accessed by zero trust. It would be good for application developers too, who could create their apps to be ready for zero trust.
Companies like SAP are moving to make this possible. Users want always-on access to business-critical SAP ERP systems previously jeopardized by VPN access failures. Leveraging zero trust for secure access to SAP ERP ensures employees and third parties can securely and reliably access SAP systems without exposing the entire network.
2. Devices. With the proliferation of remote work due to the COVID-19 pandemic, industrial manufacturing environments are no exception to the need for increased workforce agility to sustain production. Smart factories leveraging AI/ML and internet connectivity to speed process automation are growing in number, requiring modern principles of IT connectivity and security to migrate to the OT side.
Now, thanks to the ability for zero-trust components to be deployed alongside devices, users who would traditionally need to go on site to perform factory maintenance can now do so remotely and securely. And, with zero trust, factories can replace legacy VPNs that did not scale well globally, and that created significant vulnerabilities and safety concerns. After all, it’s never been more important to reduce the risk of cyber attacks to an already precarious supply chain.
Imagine the types of terrible havoc that a malicious insider or third party can perform on an OT network via VPN: they can move laterally and exfiltrate data or worse, change system settings and disrupt factory output, causing product defects, slower production, or even maliciously alter safety settings that could cause factory worker death. As a clear example that underscores why this is important, companies like Siemens are moving to make zero trust access to Siemens-enabled smart factories a reality.
3. Workloads. Cloud adoption has sped up in the pandemic: a Harvard Business Review Analytics Services research study of 260 enterprise IT respondents found that nearly 60 percent of organizations’ infrastructure and applications will be transitioned to the cloud within two years. That’s a great deal of transformation activity on the horizon. This also means that systems, services, APIs, data, and processes will be required to be remotely accessible through multiple ecosystems from any device and location, which expands the attack surface. As a result, it’s even more critical to protect how cloud workloads communicate.
Increasingly, security architects like Lane Findley of Quorum Software, which provides business critical technology to the oil and gas industry, see the potential of directly offering their customers the reassurances of zero-trust access policies when it comes to the security of the server-to-server communication, which powers the services they sell.
As can be seen, the growing value of zero-trust connectivity does not stop with the cloud-based architectural approach and the highly valuable security features and functionality of a real zero-trust product. We can go beyond that by harnessing the power of the integrated technology ecosystem, which has never been more important to the customer adoption of zero-trust approaches.
Bundling and distributing zero-trust components via applications, devices, and workloads makes the customer’s environment more secure while making their overall purchasing and deployment process more straightforward. Now, companies can reach a heightened state of security faster while increasing business output at the same time – something that most cyber professionals would formerly have never thought possible.
It is innovation like this, which goes beyond technology features and functions to transform the way customers purchase and set-up products, that is the rare metamorphosis that irreversibly changes the way our world works.