As organisations around the world come to terms with operating in a post-COVID environment, many are reviewing their approach to the challenge of effective IT security.
Traditional strategies tended to rely on having a secure perimeter surrounding all digital assets. Anyone outside that perimeter was deemed to be untrusted while users within it had free reign to access the resources they required.
Now, with large numbers of staff working from home, this approach is no longer effective. Indeed, the concept of a perimeter is no longer truly relevant, which means another method needs to be followed.
A new approach
One security strategy becoming increasingly popular involves the concept of zero trust. It takes the view that organisations should not trust anything, inside or outside the perimeter and verify all identities before allowing access to resources.
In essence, this means that traffic within an organisation’s network is treated in the same way as traffic coming from the public internet. Each user and application requesting access to resources must prove their identity before being allowed to proceed.
This approach is needed because the very concept of trust is a human emotion that has not transferred well into a digital environment. It might be OK to trust a fellow colleague because you have known them for a long time, but trusting digital traffic is a different thing altogether.
Interest in and adoption of zero trust is being driven by a range of different factors. These include:
- Mandates: Many organisations are actually mandating that their security teams follow this path. It’s been recognised that traditional approaches are no longer effective and threat levels have become too high.
- Remote workforce: Thanks to the pandemic, it’s likely that the number of staff working remotely will remain high for an extended period. For this reason, a new approach to IT security is essential.
- Data sharing: Organisations are sharing data with external parties more than ever before. This means requests to access core resources will continue to grow, putting further pressure on perimeter defences.
- Reliance on contractors and partners: Rather than having all capabilities in-house, organisations are increasingly using external resources. As a result, requests for access to core systems is on the rise.
- IoT adoption: The rollout of Internet of Things infrastructures is accelerating, placing even more pressure on existing security measures. Zero trust is the most effective way of overcoming this challenge.
Asking the right questions
For zero trust to be truly effective, it must assess a number of key variables that together can ascertain the identity of a requesting party and their level of authorisation.
As well as determining who is making the request for access, it’s also important to ascertain from where the request is being made. The zero-trust infrastructure must also be able to determine how the request is being made, why the access is being sought, and what resources are been targeted.
By combining multiple variables, the chance of unauthorised access being achieved is significantly reduced. It also recognises that, just because a party was authorised at some point in the past, that doesn’t mean that the authorisation should be ongoing.
Also, approved access to one resource should not result in approved access to all resources. A staff member might be authorised to access a file server but, when they try to access finance systems without authorisation, that access should be blocked.
Although the benefits of a zero-trust strategy are being increasingly understood, there still remain some barriers to its implementation.
One is that it can be seen by some organisations as being a very complex beast. Monitoring all traffic in real time and ensuring key assets are constantly protected is viewed as a tough task.
Another is that existing security measures are deemed to be working, so there is little motivation to change. If something is not broken, why fix it?
The bottom line, however, is that zero trust is the future. Working with experienced vendors, an organisation can deploy and maintain an infrastructure that will provide required levels of security in this new work-from home world.