The rise of Zero Trust in a connected, revolving world
Organisations are increasingly turning to Zero Trust as a security framework amid mounting pressure to protect systems and data against sophisticated attacks.
The 2019 Zero Trust Adoption report found that 78% of IT security teams are looking to embrace Zero Trust. The report also found a growing interest in identity-centric security, with 68% listing privileged account management and multifactor authentication as their biggest priority.
The trend towards Zero Trust and identity-based solutions has been exacerbated by increased adoption of cloud services, IoT and a mobile workforce, where corporate assets and users move beyond the traditional perimeter.
In this blog, we look at the principles of a Zero Trust model, how Zero Trust overcomes many of today’s security challenges and the steps organisations can take to get started.
Zero Trust: The new frontier
The idea of Zero Trust is simple: Trust no one.
Zero Trust assumes nothing and no one, no person or machine, can be trusted – unless it proves it’s not a security threat. Then, and only then, will system access be granted.
Where traditional security models apply a ‘Trust but verify’ approach, Zero Trust follows the principle of ‘Never trust, always verify’. It achieves this through continuous authentication and monitoring capabilities based on AI and machine learning.
Zero Trust is an end-to-end approach encompassing identity, network and endpoint protections. The following figure by NIST represents an example of the core logical components in a Zero Trust architecture that may operate on-premises or in the cloud.
This conceptual framework shows the basic relationship between the components and their interactions.
While there is no one-size-fits-all approach to Zero Trust, the idea behind them is the same:
- To understand who the user is, and to confirm their identity
- To understand the user’s endpoint, and its security status; and
- To have a conditional policy that specifies whether or not the user can have access to something.
In achieving this, Zero Trust will typically draw on a range of practices and technologies, including:
- Microsegmentation: to limit the attack surface and give security teams more control over lateral movement
- Multifactor authentication (MFA): to authenticate access to trusted users
- Identity access management (IAM): combines MFA with other identity solutions, including single sign-on
- Privileged access management (PAM): to secure, manage and monitor privileged access to critical assets
- Monitoring and analytics: to identify anomalies with user behaviour and traffic and provide data to trigger alerts for suspicious activity
- Orchestration: to automate processes and shrink the perimeter around a single application
- Encryption: to protect sensitive data
- Network access control (NAC): to strengthen security by enforcing policies across all users and devices
- Mobile device management (MDM): to monitor, manage and secure employees’ mobile devices
- File system permissions: to control the user’s ability to view, navigate, change or execute on the contents of a protected file system.
For many organisations, Zero Trust is considered the holy grail of security. And for good reason.
Applying a Zero Trust framework enables organisations to significantly reduce the attack surface as well as the effectiveness of stolen credentials. Zero Trust can also reduce or eliminate the need for VPNs, while offering a better user experience and longer-term cost savings.
Zero Trust: A rising need
Zero Trust offers a wealth of benefits, as listed above, but its cause is not without a need.
Consider the stats.
The global cybersecurity market is currently worth $173 billion and is forecast to reach $270 billion by 2026, according to the Australian Cyber Security Growth Network.
Indeed, organisations are throwing their money behind security in an effort to outpace cybercriminals.
According to Australia’s Cybersecurity Strategy, cyber incidents targeting small, medium and large Australian businesses can cost the economy up to $29 billion per year, or 1.9% of Australia’s GDP.
Meanwhile, New Zealand’s central bank has found that cyber attacks could wipe off about 2-3% of the profits of the banking and insurance industries each year.
The types of attacks taking place demonstrate where Zero Trust really shines.
According to the 2019 Verizon Data Breach Investigations Report, 81% of data breaches are caused by compromised, weak and reused passwords.
Another eye-opening statistic from the same report shows 34% of data breaches involve internal actors.
The shift to a remote workforce combined with digitisation and the exponential growth of data has also led to a rapidly expanding and complex attack surface that has effectively made the traditional perimeter redundant.
Zero Trust, in all its elements, overcomes modern security challenges by extending security beyond the perimeter and abiding by the principle of least privilege.
It assumes everyone and everything is a potential threat both inside and outside the network, and applies strict and continuous authentication and controls to govern access.
It also offers the benefit of automation which can help security teams focus on the tasks they need to – a huge advantage in an industry short of skills.
Zero Trust is not something to ‘set and forget’, but rather a multiphased journey that starts with visibility and a clear, strategic plan that leverages the right mix of technologies.
Channel partners can assist their customers to create a strategy on how to deploy a full Zero Trust architecture.
The first step will be geared towards discovery to define the organisation’s most critical data, application, assets and services.
The next step will be to map the way traffic moves across a network. This will help inform decisions around controls to protect data while ensuring business efficiencies.
Organisations should then architect a Zero Trust network, starting with microsegmentation, create a Zero Trust policy, and then to monitor and maintain the network. Check out Palo Alto Networks’ Five Step Methodology to learn more about implementing Zero Trust.
Zero Trust also requires a shift in mindset, which is where training and awareness come into play. Organisations should understand that Zero Trust requires ongoing effort to help people change their mindset, so they don’t assume trust in any given situation.
Arrow partners with leading security vendors to deliver the solutions needed to deploy a full Zero Trust architecture.
From identity management and access control to discovery and monitoring and more, our security portfolio is unsurpassed.