What have we learned from the last six months? Trust no one
How many people do you trust with your credit card information? Or your social security number? For most people, the answer is zero (unless you’re married, in which case the answer might still be zero). What many don’t realize is that there are far more damaging security risks than a stolen credit card number. Namely, your internet browser. We don’t often fully appreciate how much our browsers know about us. We use them for our email, shopping, sensitive company data, and yet we leave our browsers more vulnerable than the wallets in our pocket. The truth is a compromised browser might have you wishing you’d just lost your wallet.
Even though we’re always looking out for pickpockets, hackers may well be just as ubiquitous. Following the post-COVID digital boom, the last six months have seen a sharp rise in cyber attacks taking advantage of the security gap that comes with shifting entire enterprises to a remote environment. Companies scrambled to introduce short-term fixes like scaling existing VPNs to connect employees to a central network, but the cost and complexity meant that this approach simply wasn’t going to work to support long-term remote operations. In fact, many companies struggled to expand their efforts to implement VPNs as a remote security measure that could support today’s mobile workforce, and as a result, it is likely that this outdated technology will be abandoned altogether in the near future.
For companies that chose not to use VPNs as a security Band-Aid, there were really two options. Companies who wanted to act quickly could accept the risk and forego security visibility for the purpose of maintaining continuity and keeping employees working normally. Lowering the security bar meant that many of these enterprises would pay the price and succumb to ransomware attacks, phishing scams and other malicious threats that have become even more prevalent since the start of the pandemic.
However, some companies wisely looked to a longer term solution that could secure their systems completely. This is where many CISOs turned to Zero Trust. According to global research and advisory firm Gartner, Zero Trust is best described as an "approach where implicit trust is removed from all computing infrastructure. Instead, trust levels are explicitly and continuously calculated and adapted to allow just-in-time, just-enough access to enterprise resources." The key takeaway here is that Zero Trust isn’t any one solution -- instead, it’s a new security approach built for today’s remote workforce.
It turns the tables on the traditional way of connecting users which assumes that all users are trustworthy and provides access to the entire network to anyone who has correct credentials. Instead, zero trust assumes that everyone is not to be trusted, provides only access to certain applications and continually verifies that the user is behaving as expected.
Because of the extreme level of discrimination that Zero Trust uses, it has become highly popular as an alternative to VPNs for distributed workforces. Cybercriminals didn’t skip a beat during the pandemic when it came to exploiting the security gaps in employee’s home systems, and for many companies this spelled destruction. For companies anxious to avoid succumbing to these attacks, Zero Trust provided a security guarantee that other options lack.
In the coming months, every company with employees that have worked remotely over the last year and half will have to make decisions on how and if to return to work. The work from home environment has already spurred a high level of interest in Zero Trust while simultaneously exposing the flaws in relying solely on VPNs as a security measure. Unique situations require unique solutions, and because of the nature of cloud-based web browser security, Zero Trust will only become more important as the pandemic subsides and companies work to reintegrate their temporary solutions into their permanent infrastructure.
In today’s environment, there is much more to worry about than stolen credit cards or compromised passwords. Our browsers are snapshots of our lives, and more threateningly, access points to our employers and their systems. Zero Trust promises to be a long term solution to browser security that has already begun gaining in popularity, and will likely be part of the enterprise security stack for years to come.
Mark Guntrip is Senior Director, Cybersecurity Strategy, Menlo Security