5 reasons your organization needs to adopt a zero trust security architecture
Traditionally, network architectures were designed and secured according to the "castle-and-moat" model. Like a medieval fortress, an enterprise data center was imagined to have impregnable and unbreachable walls. All traffic entering or exiting would pass through a single access point, where a security gateway appliance would sit, like a knight in shining armor. This device would police the network traffic on a packet-by-packet basis, allowing traffic it deemed ‘safe’ unrestricted access to the network’s trusted interior.
Although this model is as outdated as chain mail is for 21st-century military combat, its legacy endures in assumptions and presuppositions that can prevent business decision makers from choosing the most effective cybersecurity tools and solutions for today’s complex threat landscape.
Zero Trust was initially proposed by Forrester Research in 2010. It is a paradigm designed to counter outdated ways of thinking about network security by providing a new model that’s better suited for today’s distributed, diverse, data-centric architectures.
The Zero Trust model is centered in the core concept of "never trust, always verify," and the goal of adopting a Zero Trust architecture is to eliminate internal "trusted" zones within the network and instead make security omnipresent throughout the digital business ecosystem.
Here’s why this is so important right now.
No 1.: Network architectures no longer have a single point of ingress/egress that can be monitored and controlled
With the rise of cloud-based services and increasing numbers of employee-owned, mobile and the internet of things (IoT) devices connecting daily, the idea that networks have fixed perimeters has become largely meaningless. The shape and configuration of an enterprise network are in constant flux, as different combinations of devices access various services from moment to moment.
Nearly half of all enterprise workloads already run in the cloud, and researchers estimate that as many as 94 percent will be processed in cloud data centers by the end of 2021. As increasing numbers business processes rely on cloud-based computing power, the idea of an internal "trusted" network makes less and less sense.
No. 2: Credential theft is an enormous problem today
According to recent reports, stolen credentials or misused privileges were used to gain access to network resources in more data breaches last year than any other method. And credential theft has held this spot -- as the No. 1 threat action successfully employed in breaches -- consistently for the past 10 years straight. And, the volume of phishing email observed by researchers continues to increase.
Needless to say, perimeter-based defenses are utterly ineffective against these sorts of attacks. Once an attacker has access to privileged credentials, they’re free to move laterally across the network at will, unless continuous traffic monitoring is in place that can alert on these anomalous activities, or multi-layered access controls require a second type of authentication.
No. 3: Employee error remains the most common cause of data breaches
In one recent survey, examining cases of unauthorized exposure of regulated data (such as protected health information or credit card numbers), 92 percent of incidents and 84 percent of breaches were due to "inadvertent" or "unintentional" actions. Its reality: we’re all human, and we make mistakes.
Zero Trust architectures that include multi-layered defenses and data-loss-prevention (DLP) solutions can help mitigate these risks. Perimeter-based defenses cannot.
No. 4: Traditional firewalls and legacy anti-virus/anti-malware solutions cannot stop all threats
Simply put, these products don’t offer adequate defenses against today’s emerging and increasingly sophisticated file-based threats. With more than 350,000 new types of malware being unleashed daily, even the best signature-based endpoint protection platforms cannot be relied on to catch them all.
When you’ve implemented a Zero Trust architecture, you should have resilient, layered defenses in place to ensure attackers who have evaded your endpoint-based detection mechanisms cannot have free access to your computer’s or other devices’ resources on the network. Adopting a "never trust, always verify" mindset also means seeking out solutions that will prevent unknown files from executing or making changes in your environment.
No. 5: Zero Trust presents a solid foundation for robust, resilient security architectures
Adopting a Zero Trust framework doesn’t mean you need any particular tools or solutions. It does mean that you need to change how stakeholders throughout your organization think about information security risks and how they collaborate to bring about meaningful change.
If you design multiple layers of protection into your infrastructure’s backbone -- and make sure the most effective technologies, like cloud-based verdicting for all unknown files, are among the solutions you’ve chosen -- you’ll vastly decreasing your chances of experiencing a significant breach.
To learn more read the ebook Preventing Breaches by Building a Zero Trust Architecture.
Photo credit: tsuponk/Shutterstock
Fatih Orhan is Senior Vice President of Technology, Comodo. With more than 15 years of experience in the technology industry, Fatih Orhan brings considerable expertise to his role as VP of Comodo Cybersecurity’s Threat Research Lab (CTRL), where has worked closely with his digital intelligence team and over 200 security analysts to develop and implement the best combination of cybersecurity technology and innovations; machine learning-powered analytics; artificial intelligence; and human insight to secure and protect individuals and businesses around the world. First working on Comodo Mobile Security as program director, Fatih soon advanced to Director of Technology and founded the company’s Antispam Lab (ASLAB) in 2015, where more than 45 analysts now collaborate to provide protection and security in the email domain. Taking the lead for AVLABS the following year, Fatih and his team made several achievements, including Top Product from the independent organization, AV-TEST.