Etay Maor is Senior Director, Security Strategy for Cato Networks, a developer of advanced cloud-native cybersecurity technologies.
The rising severity and frequency of cyberattacks and data breaches indicate that current approaches to cybersecurity are ineffective against modern cyber threats.
This is because most organizations are heavily focused on perimeter-based security—building defenses around specific security locations to prevent threats from entering the network. This approach also assumes that everyone inside the network is trusted and should have access to all resources. Unfortunately, this is very much an outdated concept.
Many employees are accessing corporate resources from outside of the perimeter, and applications that were once hosted inside an organization’s data center are now hosted on the public cloud. Furthermore, a perimeter-based approach does not have visibility into anything that’s happening inside the corporate perimeter. In the case of an attacker using stolen credentials to infiltrate an organization or breaching defenses through a vulnerable supply chain partner, perimeter-based security does not offer protection or visibility.
One of the best ways to overcome these shortcomings is by deploying a zero-trust architecture (ZTA).
What Is Zero Trust?
Zero trust is a security model that does not trust any user or application by default. Zero trust assumes that the network is already compromised and that trust needs to be reassessed and reestablished. In other words, it’s a system that denies everyone and everything until the identity of the user is confirmed and the context of the request is established.
Compared to a traditional model where authenticated users receive implicit access to all resources, a zero-trust model authorizes access only to those resources that are verified by a set of attributes such as an identity, a fingerprint, job role, etc.
Why Do Organizations Need Zero Trust?
A zero-trust model can help improve an organization’s security posture in many ways that legacy security approaches cannot. Benefits include:
• Reducing the risk of privilege escalation. Zero trust allows network administrators to define extremely granular policies around sensitive resources and erect micro-perimeters around specific applications and workloads. This prevents attackers from moving laterally and inflicting further damage to the organization.
• Stopping insider threats. Legacy security solutions cannot prevent attacks from malicious insiders, nor can they provide in-depth visibility into their activities. Zero trust can ensure that each user does not have more access than necessary and can also provide granular visibility on each and every user activity.
• Locking down cloud access. Zero trust restricts access to cloud applications based on business requirements. Since every user or application is subject to clearly defined access permissions, only authorized users or applications will be permitted to access those cloud environments.
Which Technologies Help Enable A Zero-Trust Architecture?
Zero trust isn’t a specific technology, per se, but a foundation on which the entire security stack resides. While zero trust can mean different things to different organizations, there are a number of core technologies that are designed to enable it, including:
1. Zero Trust Network Access: ZTNA helps set up a software-based perimeter that defines which data centers, environments or applications a user can access. It allows organizations to break down networks into smaller zones (i.e., micro-segmentation), which is an effective way to control the lateral movement of attackers.
2. Identity and Access Management: IAM systems help enforce least privilege access across the business, from users to contractors to customers. One can also enforce granular permissions that are based on the time and geolocation of users.
3. Secure Access Service Edge: SASE makes it easier to implement and manage zero trust because it packages technologies like ZTNA, firewall as a service, secure web gateway, cloud access security broker (CASB) and SD-WAN under a single console and managed service offering.
4. Security Orchestration, Automation and Response: SOAR helps analyze anomalous traffic and derives actionable information from siloed security tools. It helps automate manual security processes and improve response times.
How Can Businesses Get Started With Zero Trust?
To achieve zero-trust maturity, organizations must learn to walk before they can run. Below are some basic steps to kick-start the zero-trust journey:
1. Identify critical data, processes and services as well as sensitive data flows.
2. Formalize your plan, policies and framework to implement zero trust.
3. Identify and deploy tools that can help achieve your immediate zero-trust goals. ZTNA or SASE are recommended, as these can significantly accelerate your journey to zero trust.
4. Build micro-perimeters around sensitive data, applications or services, and implement access controls based on the principle of least privilege. Lock down remote access.
5. Continuously monitor your endpoints, gateways and sensitive data flows for vulnerabilities, weaknesses, signs of a potential attack, or breach and compliance failures.
6. Keep fine-tuning and tightening your zero-trust policies and controls as you learn about user behavior, security vulnerabilities and security incidents.
Gartner Inc. predicts that by 2025, 60% of organizations will embrace zero trust but that more than half will fail to realize its benefits. This is because the model isn’t just a shift from legacy perimeter-based security to advanced location-agnostic security; it also represents a shift from the legacy mindset of implicit trust to one that is focused on identity and context.
This is why it’s important for organizations to consider technologies like IAM, SASE and SOAR that are not only purpose-built around identity and context but can also provide end-to-end visibility and control across the entire enterprise.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?