Making the case for Trust in Zero Trust
As WFH continues and bad actors and cyberthreats thrive, it is more critical than ever before for organizations to have a robust cybersecurity strategy in place. The best way to get started? Leverage Zero Trust.
The chief concern security teams have is keeping threats and attacks out of their organizations. This is why CISOs make significant investments in security controls that protect important vectors like the network, data center, cloud, email and endpoint. This defense-in-depth approach is essential to detect and block threats, but they need to be bolstered with Zero Trust capabilities. Why? Simply put, because attacks and breaches continue to occur. In fact, we know that 64 percent of CISOs believe their organization is more likely to experience a data breach due to COVID-19, and an additional 30 percent of CISOs have seen more attacks on their IT systems as a direct result of COVID-19.
With data breaches and cyber threats top of mind, it is crucial for organizations to leverage Zero Trust across their networks, devices and data centers in order to keep bad actors out and to keep crown jewels secure.
Here’s why you should trust Zero Trust
Bringing it back to the basics, Zero Trust eliminates automatic access for any source -- internal or external -- and assumes that internal network traffic cannot be trusted without prior authorization. Why is this important? Because focusing on perimeter security and firewalls alone clearly isn’t enough (proven by breach after high-profile breach). We need to do more internally to supplement perimeter defenses and to ensure that even when attackers break in, our internal assets remain unscathed.
According to a recent Illumio report, 49 percent of cybersecurity leaders say Zero Trust is critical to their cybersecurity strategy. This means that nearly half of organizations are adopting the Zero Trust security mindset of "never trust, always verify" across their organizations and infrastructure. As users move steadily off campus networks to a distributed, work-from-anywhere model, this principle must be extended to endpoints to further reduce the attack surface.
Zero Trust adoption is just beginning -- the time to act is now
Although half of business leaders agree that Zero Trust is critical to their organizational security model, only 19 percent have made real headway in implementing their Zero Trust plan. To put that into perspective, 15 percent have already seen widespread implementation of Zero Trust across their organization and another 4 percent have fully implemented the Zero Trust model. But most teams are gathering information (28 percent), developing their plan (11 percent), or gaining buy-in on Zero Trust (14 percent). This leaves a lot of room for growth and a lot of unprotected attack surface.
Why? Because adopting Zero Trust takes time and resources. Zero Trust is not a product, but a strategy -- default deny -- only allow what must be allowed. Leaders need to understand that achieving Zero Trust is a journey, but one that will make their organization safer, and ultimately more efficient. To be clear, it is not a light switch that you can turn on by buying one product or solution. There are products that solve many of the pillars of Zero Trust, but ultimately adopting those solutions takes time -- so setting internal expectations is important.
Getting started with Zero Trust
There are plenty of tools you can use to establish Zero Trust across your organization. Most organizations (70 percent) are using multi-factor authentication (MFA) or single sign-on (SSO) (69 percent), which enables users to sign in once with strong credentials backed by MFA. These tools are impactful and have a low barrier to entry, so it’s no wonder they’re some of the most widely adopted solutions -- they’re a great place to start.
A lot of organizations have also implemented tools like campus segmentation (32 percent) and micro-segmentation (26 percent) to further bolster the internal support of external security tools like firewalls. Micro-segmentation, for example, is a key Zero Trust technology that prevents attackers from moving laterally throughout an environment, which significantly limits the impact of an initial breach.
But the most important thing to keep in mind when you decide to implement Zero Trust is to build a plan with focus. Determine your organization’s priorities and crown jewels and build Zero Trust solutions around them. Be decisive and get going as soon as possible. With ransomware on the rise, and new ransomware attacks making headlines seemingly every other day, the time to start implementing your Zero Trust strategy is now.
As chief executive officer and co-founder of Illumio, Andrew is responsible for the overall strategy and vision of the company. With deep expertise in segmentation, network security and regulatory and compliance management, Andrew is a frequent participant in panels, articles and podcasts for leading industry events and publications. Goldman Sachs has named Andrew as one of the "100 Most Intriguing Entrepreneurs" each year since 2015 as part of its Builders & Innovators program.