Zero Trust: A business imperative to enable the secure, hybrid-working enterprise
Without a doubt, cybersecurity will continue to be a topic riding high on the C-Suite agenda throughout 2022. With intensifying trade disputes, an escalating threat landscape, a highly distributed workforce, supply chains stretched to breaking point by the pandemic, and extra pressure exerted by the ongoing effects of Brexit in the UK and other geo-political issues, having a secure, productive, agile and cost-effective security framework in place will be paramount.
It’s evident that today’s enterprises conduct business and use digital technologies in ways that are evolving constantly. This digital transformation is making traditional perimeter-based cybersecurity IT infrastructure redundant. The days when every user and every device operating from within an organization’s premises or firewall could be automatically trusted, are over for good.
The last two years have accelerated the global shift to the cloud as enterprises look towards digital transformation and the need, brought into even sharper focus by the pandemic, for business agility and higher productivity, while also adapting to the new 'here for good' model of hybrid working. And with this come new challenges for cybersecurity.
The traditional security perimeter is rendered ineffective in this new world, and most legacy security systems, that were designed for a datacenter rather than a cloud-centric world, equally so. This is because the traffic between an employee and a cloud-based application can now completely bypass the traditional security perimeter together with any incumbent security controls or policies. The network is no longer a secured enterprise network. Instead, the insecure internet has fast become the new corporate network. It’s time for organizations to take action if they are to keep attackers out and keep their businesses and people safe.
As working from home has now become globally widespread, security technologies and processes based purely on established geographic location are becoming irrelevant. Millions of workers across the world shifted from being office-based to working from home, where they share broadband connections with family and friends. With a remote workforce, the use of potentially unsecured Wi-Fi networks and devices increases security risks exponentially. The change in workers’ expectations, with regards to being able to work from home, means remote working is unlikely to be a passing trend. Subsequently these challenges and risks around connectivity and security are here for the long term.
A popular, but now outdated, option in providing secure connectivity to corporate applications has been to use a Virtual Private Network (VPN). Whilst this will encrypt traffic between a device and an application, and provide a level of authentication, a VPN provides access to the corporate network as well as the applications that are served from it. As a result, this can give inappropriate levels of access to applications and functions that are outside an employee’s job role or profile. This significantly increases the risk of a cyber security incident. For today's sophisticated threat actors, it is a trivial task to deduce that an organization is using a centralized firewall and launch a DDoS attack via an online service that seriously impacts productivity. So, if VPNs are no longer fit for purpose, is there a better way?
Zero Trust -- an adaptive model, built for the cloud
In short, yes there is. In this new environment, more and more enterprises are adopting a Zero Trust approach. Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeter, and instead must verify anything and everything trying to connect to its systems before granting access. Zero Trust employs "never trust" and "always-verify" principles, offering a secure platform for users to access applications, from anywhere, whether housed in data centers or the cloud. Security becomes all about context – where a user is, what role they have, what data they need and when – rather than about location -- inside or outside the organization’s firewall. And Zero Trust ensures constantly adaptive levels of trust and verifications as these parameters change.
As the pressure to protect enterprise systems and data grows significantly, and attacks become more sophisticated, CIOs and CISOs are moving the implementation of Zero Trust across all aspects of their infrastructure, to the top of the corporate agenda. By removing the centralized approach to policy enforcement and moving towards a distributed model where security is delivered via the cloud, organizations can begin to move to a model where users and devices can be connected to applications and data securely and efficiently -- regardless of geography.
Challenges and benefits
It is undoubtedly a challenge for most large enterprises with established IT teams, that have worked on a 'trust but verify' basis using corporate firewalls and VPNs, to change direction and move towards a Zero Trust framework. But in our view, adopting this approach does bring considerable benefits
Without the concept of a fixed network perimeter, users can be anywhere and on any device. It’s also true today that the devices employees are using are much less likely to be ones assigned by their employer. Employer-owned laptops and phones are traditionally managed, patched, and kept up to date with security tools and policies. However, in the era of remote working, employees may forget basic cyber hygiene skills and start, or indeed are actively encouraged, to use their own devices to access corporate resources. If the enterprise moves to a Zero Trust approach, CISOs can reduce the attack surface of the business by only giving employees access to the applications they need to work with.
A modular approach to Zero Trust
In our experience, one of the key questions when adopting a Zero Trust approach is -- "where do we start?"
When trying to secure key milestones of the journey between an employee (or indeed more often a sensor or other IoT device) and an application, the sheer amount of technology touchpoints involved can prove overwhelming. Most enterprises typically have a subset of existing tooling that address some key aspects of trust e.g., multifactor authentication, identity and access management, network access control. Extending the approach across multiple technology towers, however, is challenging. This is where a modular approach can work effectively. Separating out key functions or "journeys" into modules can allow a more focused approach to the application of a security policy, both from a procurement, implementation, and budgetary perspective.
Although every enterprise will have its own priorities that dictate the appropriate starting point and path taken, in my view, there are four key areas to a Zero Trust journey that need to be considered.
Firstly, Identity and Access, enabling you to recognize and authenticate user and device access, ensuring appropriate levels of access are granted dependent on role-based policies, rather than location. If your current landscape of IDAM systems is complex today, as so many are following acquisitions, disposals and global reorganizations, these can now be simplified with a single cloud overlay. This takes away complexity, acting as a central repository of users and devices, managing starters and leavers, and much more.
The second consideration is the network itself, ensuring you can connect users and devices to apps and data over a high performing, secure and constantly optimized pathway -- using cloud solutions such as SD-WAN for example. And of course, being able to monitor the entire pathway is more crucial than ever, helping spot, avoid or remediate issues before they impact your business operations. Monitoring these new complex data pathways is critical to both performance and security.
The third area to focus on is the Secure Service Edge -- this ensures a secure gateway to the cloud, helping you get users on and off the internet quickly, efficiently and securely, using cloud on-ramp solutions, while ensuring a high-quality digital experience.
Finally, look at your Apps and Data, a vital stage ensuring these are properly segmented to protect against cross-infection should a virus occur.
As an example, if the network itself is your most pressing area for action, you should see SD-WAN as a core solution component in the journey to Zero Trust. It makes management of network infrastructure easy, allowing IT to avoid complex network-security architectures, whilst providing the highest security through a cloud-delivered model. All traffic is securely connected through a cloud-delivered service, whatever the connection type -- mobile, satellite or home broadband. And because the intelligence of the network is software-driven and orchestrated centrally, it can manage the user’s journey through an insecure internet to the location of the application, at the same time compressing other applications to improve the user experience.
An SD-WAN solution can be procured and implemented as a standalone initiative -- but the real zero trust value comes when it’s incorporated as part of a total security and networking solution, often known as SASE, Secure Access Service Edge.
Addressing all four areas described above will leave your enterprise, secure, resilient, agile and connected -- providing firm foundations for successful digital transformation.
The CIO and CISO Imperative
Now is the time for CIOs and CISOs to work together to design their Zero Trust journey together -- investing in modern technologies, rather than trying to retro-fit legacy systems, to ensure their organizations are successful and secure in today’s work-from-anywhere and cloud-centered world.
Mark Cooke is Chief Operating Officer, Xalient. The company’s Zero Trust Framework ensures that every stage of the journey is considered through the lens of Zero Trust. Xalient believes that to achieve successful and ongoing digital transformation, enterprises must address the challenges of security transformation right at the outset.