The “Zero Trust” approach to enterprise security has gained significant traction as a way to combat the increasing sophistication and complexity of cybersecurity risks. The basic concept behind Zero Trust is, as the name suggests, to trust nothing and no one; specifically, any user, application or service attempting to access a network must be verified as legitimate before access is granted. Once granted, access is limited to the specific parameters defined for that user, application or service.
Applying this principle, however, is easier said than done. Most traditional security strategies take a “castle and moat” approach and treat the enterprise network as a physical entity with clearly defined boundaries. Zero Trust, however, is designed to address today’s increasingly virtualized world, and therefore requires a fundamentally new mindset. Networks, moreover, have typically adopted the TCP/IP paradigm stack, where connections precede authentication (arguably making security an afterthought). Zero Trust reverses this logic by requiring authentication before connections are established, and by embedding security into every single connection and access request.
Another issue is a false perception – fueled largely by market hype -- of Zero Trust as an ironclad solution that renders businesses immune from cyber threats. Relatedly, vendors eager to close deals push the idea that Zero Trust can be implemented as a discrete, one-and-done solution. In the first instance, a false sense of security results. In the second, businesses underestimate the challenges and work required to deploy Zero Trust.
The fact is, Zero Trust is a massive, long-term undertaking, and teams building a business case for investment shouldn’t avoid that reality. Moreover, the model is not a panacea. Most enterprises require a hybrid environment (and partners who can manage such an environment), where traditional security technologies work in tandem with Zero Trust domains. Finally, Zero Trust requires an ongoing, enterprise-wide commitment that integrates people, processes and technology.
Zero trust - A titanic endeavor
As originally defined by the Forrester Group, the Zero Trust model comprises five steps:
- Identify Sensitive Data
- Map the Flows of Sensitive Data
- Architect Zero Trust Micro-Perimeters
- Continuously Monitor Zero Trust Ecosystem with Security Analytics
- Embrace Security Automation and Orchestration
Each of these steps represents a major undertaking in and of itself. For example, step one and two – the identification of potentially sensitive data and mapping the flows of this data – require classifying and prioritizing myriad data from multiple sources based on complex criteria such as impact and probability. In other words, businesses must determine if data that poses a potentially catastrophic risk, but is highly unlikely to be exposed, should be a higher priority than data that poses a low-impact risk but has a relatively high probability of being exposed.
Given the cost and complexity of such enterprise-wide data identification and classification projects, the exhaustive, multi-step approach has proven to be impractical for many industries. For businesses seeking a manageable alternative to a full-blown Zero Trust undertaking, the Managed Perimeter Security paradigm represents a viable option.
Carving boundaries
From a cybersecurity standpoint, employees, although always meaning well, typically create the most security gaps. And when 1-4 employees even admit to getting distracted and clicking a suspicious link, and 46% of organizations had at least one employee download a malicious app, it’s that evident processes/training procedures for protecting data need to be reassessed.
A Zero Trust Endpoint Security Platform (ZTESP) provides organizations with an integrated solution for defining which devices can access data, what information can be attained/shared by who, and elevation control to help prevent executive escalation of privileges.
Managed Perimeter Security (MPS) solutions address the Zero Trust imperative even further by carving out defined access boundaries to different entities, regardless of physical location. For example, remote workers can access files related to their jobs, IT contractors can access applications they’re testing, and suppliers can access orders of the products they’re supplying.
By defining and restricting network access based on the user profile and permissions, ZTESP and Managed Perimeter Security work together to enhance security and the ability to monitor vulnerabilities within the virtual network. Managed Perimeter Security also assesses the context of each connection in terms of identity, time of day, and location of the entity seeking access. And by decoupling security from the network used by each user (as VPNs intend), these solutions improve security at a local level by securing user devices from inbound connections. This addresses concerns about malicious users accessing devices on local public networks.
SDP is also conducive to hybrid environments and a phased adoption of Zero Trust. Specifically, Managed Perimeter Security architectures usually provide the tools to enable the architecting, monitoring, and automation/orchestration stages of the Zero Trust model. Managed Perimeter Security also simplifies things: While a pure Zero Trust approach identifies units of data to be classified and tagged, Managed Perimeter Security identifies complete datasets of information (assets) regarding the location in the data center. A “connector” then links these datasets to a separate controller element that considers each access request's context (live entitlements) before providing the credentials and allowing communication.
Zero Trust security is a lofty and laudable aspiration for businesses facing potentially catastrophic cybersecurity threats. But like the thousand-mile journey, the road to Zero Trust begins with two steps: (1) Developing an intuitive platform that monitors app and data usage like ZTESP and (2) establishing effective processes, policies, and procedures that help you chart the right path, like Managed Perimeter Security.