Zero-trust architecture: A cybersecurity must-have
The COVID-19 pandemic ushered in a new era of remote and hybrid work that many of us knew was possible, but felt was years away from being realized. Now, we can work anywhere in the world asynchronously, with access to the documents and tech stack required to do our jobs as we would in an office setting.
While this has helped create a better work/life balance for many employees, this corporate culture shift has created a host of new challenges for cybersecurity teams. The increase in endpoints, with an increasing number of devices accessed remotely, requires a higher level of security to tackle growing online threats. How can IT teams champion hybrid workflows in an untrustworthy digital landscape? Fortunately, there is a solution to this problem -- a zero-trust architecture.
The Zero-Trust Shift -- From 'Trust Everyone' to 'Trust No One'
Historically, organizations used a "castle and moat" model to ensure network security. The castle and moat model was effective when virtually all employees worked within the confines of a traditional office building. All users and equipment inside of the network perimeter were trusted by default, which meant they didn’t need to be authenticated before accessing internal organizational resources. Only users and devices outside the network perimeter were required to authenticate.
Even before the pandemic, the shift to cloud computing and explosion of mobile devices were chipping away at the concept of a "network perimeter." Pandemic lockdown orders eradicated it. Organizations rapidly accelerated their digital transformation plans and hastily migrated to cloud-based environments, allowing employees to access work resources from anywhere. Remote work meant the number of endpoints, websites, systems, databases, and applications requiring authentication and end-to-end encryption multiplied exponentially. The castle-and-moat model crumbled overnight, and cyberattacks soared as threat actors took advantage of organizations’ insufficient security defenses.
Instead of relying on where users are, zero trust makes them prove who they are. In contrast to the outdated castle-and-moat, the zero-trust model does not trust any human users or devices, regardless of location. In a zero-trust environment, every user, application, and device must continuously be authenticated and authorized before being granted access to company data. It assumes that nothing within a company’s network is exempt from being a threat or being compromised.
Realizing the Benefits of Zero Trust
By forcing every device and every user to verify their identity, zero trust fundamentally reduces security exposure for both the IT teams and end users. Zero-trust network access gives IT administrators complete visibility into all users, systems, and devices. People, apps, and services can communicate securely, even across network environments. It doesn’t matter if users connect from their homes, hotels, coffee shops, airports, or even if they use their own devices.
Zero-trust frameworks also help to improve monitoring and alerting if an organization is breached. Cybersecurity teams can work backward by logging and tracking who accessed what and when. This allows them to identify where the breach occurred, why it happened, and how to remedy the issue as quickly and efficiently as possible.
In the post-pandemic era, zero trust allows employees to work anywhere and anytime without disrupting their workflow. With the newest generation of secure cloud-based password managers, single sign-on (SSO) identity providers and remote access tools, employees can easily and securely access their applications and infrastructure from their remote office, without having to struggle with VPNs or passwords. The user experience is smoother, and the organization is more secure.
A look at the future
Remote work and cloud technologies mean organizational data is distributed more widely than ever. At Keeper Security, we recently surveyed business leaders in the U.S. to get their take on crucial cybersecurity issues. Only 32 percent of survey respondents plan to adopt a zero-trust and zero-knowledge security approach. This stat is alarming, as zero trust is the only realistic framework for securing modern, cloud-based data environments and distributed workforces. Organizations must implement a cybersecurity platform that provides complete visibility, security, and control across their data environment, with a single, pervasive pane of glass to track, log, monitor, and secure every user, on every device, from every location, as they transact with all permitted sites, systems and applications.
The global pandemic has triggered a cybercrime epidemic. As the hybrid working world develops, cyberattacks are increasing, with bad actors finding new ways to target businesses. It will only become more critical for companies to integrate high-quality systems and adopt zero trust within their infrastructure. By doing so, business leaders will be in a strong position not only to identify and react to attacks on their organization but to help prevent them entirely.
Craig Lurey is Co-Founder and CTO of Keeper Security.