There was a time when defending the perimeter was the focus of IT security. By necessity, those days have long passed. Between insider threats, credential-stealing malware, and social engineering, today's businesses need to secure more than the gate around the castle. They must defend the doors inside the castle itself.
This reality has brought Zero Trust back into the forefront of conversations about cybersecurity. From regulatory compliance to data breach avoidance to cloud computing, Zero Trust can drive strategic initiatives for businesses.
While I previously wrote about some of the myths surrounding Zero Trust, this blog series will dive deeper into why the Zero Trust architecture is right for today's organizations. The first myth that I noted was tied to the notion that Zero Trust had "jumped the shark." That is far from the truth. Now more than ever, the use cases for Zero Trust are apparent. To understand why, let's start from the beginning.
From idea to reality
The concept of Zero Trust as a network architecture goes back roughly a decade. At the core of this approach is the idea of treating all network traffic as untrusted. This idea was a change from the traditional view of cybersecurity, which held that internal users could be trusted, and only external traffic needed to be controlled. However, as attackers slipped past perimeter defenses with a mix of malware and phishing attacks, the truth became clear. Monitoring and controlling internal traffic is critical to stopping today's attacks.
The prevalence of data breaches in the past decade also underscored the reality that compliance regulations are not enough to guarantee security. History is littered with examples of this, such as the infamous Target data breach reported in 2013. But while these regulations may not ensure security, they do ensure there is a penalty for companies that fail to adhere to their standards.
Perhaps the most attractive proof point of the efficacy of Zero Trust is how it influences compliance. In heavily regulated industries, maintaining a strong cybersecurity posture is critical to avoiding a failed audit. Zero Trust both enforces and demonstrates the security levels organizations in those industries need. For example, under PCI-DSS, businesses are required to have a firewall that restricts and controls traffic to the cardholder data environment. The regulation also requires logical and physical access controls and has stipulations around identity management.
All of this is addressed by a Zero Trust approach. Zero Trust requires microsegmentation of the network, in effect walling off critical sections of the network according to user permissions that can be assigned depending on the job-related needs of a user or user group. This approach creates an audit trail of permissions and user activity that is ready-made for proving compliance.
Preventing data breaches
Since Zero Trust relies on the principle of least privilege, it shrinks the attack surface of the organization. By placing the focus on the identity of the user behind east-west traffic, it can stop an attack in its tracks. The use of multi-factor authentication (MFA) is crucial here, as many successful attacks involve the use of stolen or compromised user credentials. By treating internal users as untrusted as opposed to taking a trust-but-verify approach, organizations can mitigate the threat of an attacker using stolen credentials to slip by unnoticed.
Encrypting data is not enough. By definition, encryption means that a decryption key will be available to a privileged user. If that individual's credential is compromised, encryption alone will not protect the data. For this reason, the emphasis has to be on identity, both of the user and device, and whether or not this device or user is exhibiting normal or abnormal behavior. Context is critical. If suddenly a user appears to be logging in from a geographic location that is out of the norm, that could be proof that trouble is afoot.
Eyes to the cloud
Identity management may not be the first topic business leaders think of when it comes to the cloud. Still, it is a vital part of migrating security into the cloud alongside any data and applications. A Zero Trust approach unifies the approach to identity management between on-premises and cloud environments and provides organizations with a blueprint for how they want to manage identity and access in the cloud and across their virtual environments.
No longer hype
Despite its origin almost 15 years ago, Zero Trust is more relevant today than ever before. Getting these benefits does not require overhauling an entire network. Businesses can leverage their existing identity and security technologies to get started, integrating components like behavioral monitoring and multi-factor authentication as described in The Path to Zero Trust Starts with Identity, or explained in our customer stories from Adobe and LogRhythm.
Piece by piece, an identity-centric approach to Zero Trust gets organizations closer to regulatory compliance and effective security in today's environment.
About the author:
Dr. Torsten George is a cybersecurity evangelist at Centrify, which delivers Zero Trust Privilege to secure modern enterprises and stop the leading cause of breaches—privileged access abuse. He also is a member of the Identity Defined Security Alliance Zero Trust Technical Working Group and serves as a strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker.
Dr. George has been part of the global IT security community for more than 25 years and regularly provides commentary and publishes articles on data breaches, insider threats, cyber warfare, incident response, and IT security best practices, as well as other cybersecurity topics in media outlets. He is also the co-author of the Zero Trust Privilege for Dummies book.