It’s unfortunate, yet painfully true, that we live and work in a world in which trust is a quaint, almost archaic, quality. Nowhere is this more true than in the business world, which has grown wholly dependent on its IT infrastructures and systems. Digital transformation has rendered security strategies that were built around protecting the perimeter of an enterprise no longer adequate, especially in IT ecosystems in which there really are no well-defined edges anymore.
Security becomes much more challenging when a company’s IT infrastructure extends beyond the walls of its building(s), with its networks connecting to customers, partners and third parties whose IT assets reside around the globe and in multiple public or private clouds.
Suddenly, it becomes relatively easy for hackers to access a company’s applications and data. Traditional perimeter defenses (often referred to as edge security) aren’t very effective. An organization’s anti-virus software, firewalls, user authentication programs and other long-standing security methodologies just aren’t a match for bad actors, foreign government agencies and others who spend their lives looking for ways into IT infrastructures to seize the data and other valuables that lie within.
As a result, data breaches and other malicious exploits proliferate. You may remember the ransomware attack on the Colonial Pipeline Company in 2021 that caused fuel shortages across the U.S. Hackers accomplished that with the use of a single password.1 Or the Solar Winds attack that exploited a routine software update and compromised about 100 companies (including Microsoft, Intel and Cisco) and about a dozen government agencies including the U.S. Treasury, Department of Justice, Department of Energy and the Pentagon.2 Or the 2021 data leak that exposed personal data belonging to more than 100 million Android users due to misconfigured cloud services.3
What is Zero Trust?
In 2010, Forrester research analyst John Kindervag introduced a new concept, which he called “zero trust.”4 In a nutshell, his concept rearranged the old maxim “trust but verify” into “never trust, always verify.” That means continuous identity verification of users, whether they are inside or outside your network perimeter. It requires monitoring of their activity to detect any unusual work patterns or areas of access, and the same for all devices being used.
Zero trust assumes that every user and device is a potential threat until proven otherwise. That sounds extreme but, unfortunately, it’s necessary. Assuming otherwise based on recognizing passwords, users and devices that have previously accessed your infrastructure before can cost you dearly.
Traditional Edge Security Solutions Are No Longer Enough
With the expansion of organizations’ infrastructures beyond the walls of buildings and into hybrid deployments including multiple public and private clouds, infrastructures are now essentially edgeless. So, traditional perimeter solutions are becoming less and less effective. Data breaches and other malicious exploits can be devastating. Consider the following:
- A cyberattack occurs every 39 seconds5
- Data breaches exposed 22 billion records in 20216
- The average cost of a data breach in 2021 was $4.24 million – the highest average on record7
- 34%of data breaches in 2018 involved internal actors8
- It took an average of 287 days to identify a data breach 9
- The average time it took to contain a data breach was 80 days 10
- By 2025, global cybercrime is estimated to cost $10.5 trillion per year, increasing by 15% year over year11
- 68% of business leaders feel their cybersecurity risks are increasing12
- On average, only 5% of companies’ folders are properly protected13
- Organizations with a zero-trust approach saw average breach costs of $1.76 million less than organizations without14
What Can You Do To Implement Zero Trust?
We don’t want to ignite paranoia across your organization, but it’s important to understand that effective cybersecurity requires constant vigilance.
Here are some more fleshed out principles you can use as you consider how to implement a zero trust strategy across your IT infrastructure:
- It’s critical to increase vigilance, employing automation wherever possible given the ever-growing number of bad actors working tirelessly to penetrate IT enterprises that now have so many more attack surfaces.
- Grant users and devices “least-privilege” access to your entire infrastructure and review and update those privileges only as often as necessary.
- Assume all attempts to access your IT infrastructure are potentially threatening.
- Authenticate, authenticate, authenticate. One time authentication that then allows users and devices to roam freely around your infrastructure is an open door to trouble.
- Secure your data at all times – at rest, in transit and in use.
- Regularly review your cybersecurity policies and analyze and update them as threats require.
Zero Trust Is A Framework, Not A Product
While it would be convenient if there was a single zero trust product that could be quickly and easily deployed, that’s just not the case. Zero trust is a framework, not a product. It lays out a number of tenets that, when vigorously applied, can significantly reduce damage to your organization and reputation.
Understanding what zero trust is and how its underlying principles can apply to your organization is an important step forward toward a more secure IT infrastructure. From there, you can create a multi-disciplinary team including data security, network security, user and device authentication and other pertinent experts to create a zero trust implementation to protect your ever evolving IT enterprise.
You may need outside assistance with such an initiative and there are companies that focus on the various types of capabilities that together can deliver zero trust security solutions. You can find some on CoreSite’s IT Service Provider Marketplace, including:
However you choose to proceed, the key to success is to get started now (if you haven’t already) and to make zero trust a top priority.