Why zero trust delivers even more resilience than you think
Ten years ago, zero trust was an exciting, innovative perspective shift that security experts were excited to explore; today, it’s more likely to be framed as an inevitable trend than as a mere option on the security menu.
At the same time, however, it seems safe to speculate that one of the only reasons why zero trust has not spread itself wider and rooted itself deeper, is that major transformational projects often don’t feel as attractive in the context of economic turmoil. When businesses are feeling pressure to reorient themselves in the market, course correct on long-standing expenses, and find a sustainable financial route forwards, committing to overhauling a critical defender of business value is a tough ask.
Businesses have a wide range of options available to them as they react to challenging market conditions. This year we have seen many – particularly in the tech sector and particularly at the start of the year – re-evaluate what a healthy headcount looks like for them. They might cut back on niche products and services to allocate more energy towards core revenue generating activities. Partnerships can be rethought, contracts renegotiated, and departments restructured.
All of this is in the interest of ensuring that the shape of a business mirrors, as closely as possible, the productive activity it is committed to. I think that it is easy to overlook how introducing zero trust network access (ZTNA) functions in precisely this way for the technological infrastructure that that activity relies on. Indeed, while adopting ZTNA certainly is a major project, for which business leaders should anticipate long timelines and complicated decisions, it should also be seen as an important tactic for reaching a more sustainable financial footing.
The most readily apparent reason why this is the case comes simply from the consequences of breaches and disruptions. While estimates of the average damage an attack causes vary wildly depending on who you ask, nobody is now surprised to see reported figures in the tens or even hundreds of millions of dollars. Whether thinking in terms of primary remediation costs (including ransom payments and regulatory fines), the revenue lost through downtime in business processes, or the downstream effects of reputational harm, security failures can have near-existential impacts for businesses. Mitigating the outcomes of inevitable attacks, as ZTNA does, effectively frees up resource which can be better applied elsewhere.
There are also, of course, ongoing operational costs to consider in any technology rollout. Traditional network security measures built around perimeter-based defenses can be brittle and challenging to maintain, leading to expense in the form of employee capacity being invested into it, on top of any ongoing costs for security tools and platforms. Well-designed ZTNA can simplify this process by centralizing policy controls and adapting more robustly to changing conditions.
What might be less obvious about ZTNA, however, and the way in which it really functions as a transforming influence on the business more broadly, is how it affects the ways in which people use resources.
In a traditional security model – using a VPN, for instance – a user successfully passing through the gates of the network perimeter may be authorized to access a breadth of files and applications. As that user works across various components of the IT infrastructure, potentially hundreds of connections to the network’s resources might be established, each requiring tunnelling and encryption in line with security policy. This, inevitably, creates a significant load on network infrastructure, with high resource allocation even for relatively mundane workflows.
An essential principle of ZTNA, by contrast, is to work in terms of one-to-one connectivity and access: a specific, identifiable user connected to a specific, identifiable resource for each authorization event. This is why ZTNA so effectively isolates and cushions breaches which do occur, but it also means that a given user will only ever be allocated the computing resources necessary to do their work.
Looked at another way, the traditional security model forces organizations into a situation a little like powering an entire office building for an employee who only needs to use a single room. Once they tap in through a security gate, the building has no way of knowing what they will need, so everything must be lit up and ready. Because ZTNA reauthorizes the user along every step of that journey, parts of the “building” not being accessed can happily remain dormant.
Business leaders know that, in economic headwinds, every option for getting safely through the storm must be considered. No matter what, though, it seems almost certain that technology usage, and the costs associated with it, will only grow as enterprises try to stay competitive. Whether it is for resilience during cybersecurity incidents or for efficiency the rest of the time, there has never been a better moment to explore the potential of zero trust.