Businesses are readily adopting a “zero trust†security architecture thanks to sophisticated cybersecurity threats and evolving regulations, Technologies such as encryption, multifactor authentication and other system permissions must be incorporated in the modern enterprise to keep data safe and confidential.
The security environment continues to change dramatically for every enterprise and government organization. The prevalence of always-on, mobile and remote working has given rise to more employees communicating and collaborating from beyond the corporate firewall. As such, the idea of a security perimeter is no longer one big cover when devices are constantly in motion – rather, businesses now operate across a perimeter-free ecosystem.
The shift in how we work has led to the concept of ‘zero-trust’ taking hold as the best approach to secure business data and stay compliant to various regulations. Traditional security models assume that everything within an organization’s network can be trusted by default. In contrast, the zero-trust framework is an alternative architecture for IT security, operating on the premise that anything inside or outside of a corporate network – including data, devices, systems and users – is a security risk and must be checked and verified before being granted access.
The concept of zero-trust is not new – it was first introduced by analyst firm Forrester Research almost a decade ago. However, businesses are increasingly adopting this model to minimize potential data leaks and breaches. The statistics against the end user are staggering – for example, one study found that 91% of cyberattacksOpens a new window begin with spear phishing emails, while another found that 47% of business leadersOpens a new window said human error had caused a data breach at their companies. By providing access to information on a need-to-know basis for employees, organizations are looking to protect their systems as attacks become more sophisticated.
Trust no one – and one size doesn’t fit all
As organizations consider shifting from a conventional static, perimeter-based framework to a zero-trust security model, what do they need to do to be successful? Some critics argue that this transformation requires an entire rip and replace of the security network, while others believe that small steps can be taken to deploy tools on top of the existing infrastructure.
Whatever approach an organization takes, it should first develop its goals and roadmap to protect its mission-critical data. It’s important to comprehensively evaluate the user experience, by understanding who its users are, what apps and systems they are using, and what kinds of access they need. Given that employees are increasingly working across disparate and distributed teams, it’s also critical to ensure that access can be provided in both a controlled and compliant manner.
While there is no one-size-fits-all for implementing a zero-trust model, this architecture typically draws on technologies such as multifactor authentication, identify access management, encryption, orchestration, analytics and other system permissions. Zero-trust requires a holistic assessment of how to secure every app, device and user, not forgetting that this should also be done in a scalable way, as new users and technologies are introduced into the corporate infrastructure in the future.
Comply, don’t deny
One of the biggest drivers for zero-trust today is the continual evolution of new regulations into the workplace. For example, GDPR has established strict controls for managing, deleting and auditing personally identifiable information, with the regulation requiring all businesses to report certain types of personal data breaches within 72 hours. While GDPR focuses on European Union citizens, it has wide-reaching implications to any global enterprise.
What’s concerning is that despite more than one year passing since GDPR was introduced, only 27% of U.S. companies are compliant – a tiny 3% increase from the year prior, with the majority of issues stemming from right to access rules. Unless an organization has established the right processes for fully understanding its assets, it is ill-equipped to handle any potential data breaches that could occur – and to deal with any new proposed legislation relating to data privacy and security in the future.
For example, in the U.S. the Corporate Executive Accountability Act aims to “establish criminal liability for negligent executive officers of major corporations… that affects the health, safety, finances or personal data†of individuals. The Act proposes that CEOs should be personally liable for any failure to protect consumers on information shared with organizations. Following a steady spate of high-profile data breaches over the last few years – from Target to Equifax – there’s greater public concern that not enough is being done to uphold consumer trust in data protection. As regulations continue to evolve, the stakes are higher for corporate executives to understand how its data is stored, shared and accessed – lest they face the consequences as a business and individual.
The future of trust
As organizations advance their security strategies, the zero-trust model elevates an enterprise’s approach from one focused on products and network segmentation to a more comprehensive and holistic architectural design.
Since every organization is different, it’s critical to take the necessary steps to comprehensively understand the IT environment and user experience to then lay the groundwork for any potential business, technology, and regulatory challenges. By embracing the zero-trust model, enterprises can benefit from a more dynamic and modern architecture to address the needs of the perimeter-free workplace.