It’s unfortunate, yet painfully true, that we live and work in a world in which trust is a quaint, almost archaic, quality. Nowhere is this more true than in the business world, which has grown wholly dependent on its IT infrastructures and systems. Digital transformation has rendered security strategies that were built around protecting the perimeter of an enterprise no longer adequate, especially in IT ecosystems in which there really are no well-defined edges anymore.
Security becomes much more challenging when a company’s IT infrastructure extends beyond the walls of its building(s), with its networks connecting to customers, partners and third parties whose IT assets reside around the globe and in multiple public or private clouds.
Suddenly, it becomes relatively easy for hackers to access a company’s applications and data. Traditional perimeter defenses (often referred to as edge security) aren’t very effective. An organization’s anti-virus software, firewalls, user authentication programs and other long-standing security methodologies just aren’t a match for bad actors, foreign government agencies and others who spend their lives looking for ways into IT infrastructures to seize the data and other valuables that lie within.
As a result, data breaches and other malicious exploits proliferate. You may remember the ransomware attack on the Colonial Pipeline Company in 2021 that caused fuel shortages across the U.S. Hackers accomplished that with the use of a single password.1 Or the Solar Winds attack that exploited a routine software update and compromised about 100 companies (including Microsoft, Intel and Cisco) and about a dozen government agencies including the U.S. Treasury, Department of Justice, Department of Energy and the Pentagon.2 Or the 2021 data leak that exposed personal data belonging to more than 100 million Android users due to misconfigured cloud services.3
In 2010, Forrester research analyst John Kindervag introduced a new concept, which he called “zero trust.”4 In a nutshell, his concept rearranged the old maxim “trust but verify” into “never trust, always verify.” That means continuous identity verification of users, whether they are inside or outside your network perimeter. It requires monitoring of their activity to detect any unusual work patterns or areas of access, and the same for all devices being used.
Zero trust assumes that every user and device is a potential threat until proven otherwise. That sounds extreme but, unfortunately, it’s necessary. Assuming otherwise based on recognizing passwords, users and devices that have previously accessed your infrastructure before can cost you dearly.
With the expansion of organizations’ infrastructures beyond the walls of buildings and into hybrid deployments including multiple public and private clouds, infrastructures are now essentially edgeless. So, traditional perimeter solutions are becoming less and less effective. Data breaches and other malicious exploits can be devastating. Consider the following:
We don’t want to ignite paranoia across your organization, but it’s important to understand that effective cybersecurity requires constant vigilance.
Here are some more fleshed out principles you can use as you consider how to implement a zero trust strategy across your IT infrastructure:
While it would be convenient if there was a single zero trust product that could be quickly and easily deployed, that’s just not the case. Zero trust is a framework, not a product. It lays out a number of tenets that, when vigorously applied, can significantly reduce damage to your organization and reputation.
Understanding what zero trust is and how its underlying principles can apply to your organization is an important step forward toward a more secure IT infrastructure. From there, you can create a multi-disciplinary team including data security, network security, user and device authentication and other pertinent experts to create a zero trust implementation to protect your ever evolving IT enterprise.
You may need outside assistance with such an initiative and there are companies that focus on the various types of capabilities that together can deliver zero trust security solutions. You can find some on CoreSite’s IT Service Provider Marketplace, including:
However you choose to proceed, the key to success is to get started now (if you haven’t already) and to make zero trust a top priority.
1. 166 Cybersecurity Statistics and Trends [updated 2022], Rob Sobers
2. A 'Worst Nightmare' Cyberattack: The Untold Story of The SolarWinds Hack; All Things Considered, NPR
3. 166 Cybersecurity Statistics and Trends [updated 2022], Rob Sobers
4. Zero Trust Security Model – What is Zero Trust?, Akamai.com
5. Study: Hackers Attack Every 39 Seconds, University of Maryland
6. Risk Based Security; 2021 Year End Data Breach QuickView Report
7. How Much Does A Data Breach Cost In 2022, IBM
8. 2019 Data Breach Investigations Report, Verizon
9. Cost of a Data Breach Report 2000, IBM
10. Ibid
11. Cybercrime to Cost The World $10.5 Trillion Annually By 2025, Cybercrime Magazine, November 13, 2020
12. The Cost of Cybercrime, Accenture with the Ponemon Institute, 2019
13. 166 Cybersecurity Statistics and Trends [updated 2022], Varonis
14. Ibid
Scot Hartman
Senior Director InfoSec and IT Operations
Scot is Sr. Director of Information Security and IT Operations at CoreSite and has more than 25 years working in IT, including information security, network architecture and data center operations.
Read more from this author