It’s Time to Move to Zero Trust Security

It’s unfortunate, yet painfully true, that we live and work in a world in which trust is a quaint, almost archaic, quality. Nowhere is this more true than in the business world, which has grown wholly dependent on its IT infrastructures and systems. Digital transformation has rendered security strategies that were built around protecting the perimeter of an enterprise no longer adequate, especially in IT ecosystems in which there really are no well-defined edges anymore.

Zero trust begins with monitoring network activity to detect any unusual work patterns, areas of access and all devices. CoreSite’s IT Service Marketplace ecosystem includes several organizations that focus on enterprise cybersecurity.

Security becomes much more challenging when a company’s IT infrastructure extends beyond the walls of its building(s), with its networks connecting to customers, partners and third parties whose IT assets reside around the globe and in multiple public or private clouds. 

Suddenly, it becomes relatively easy for hackers to access a company’s applications and data. Traditional perimeter defenses (often referred to as edge security) aren’t very effective. An organization’s anti-virus software, firewalls, user authentication programs and other long-standing security methodologies just aren’t a match for bad actors, foreign government agencies and others who spend their lives looking for ways into IT infrastructures to seize the data and other valuables that lie within.

As a result, data breaches and other malicious exploits proliferate. You may remember the ransomware attack on the Colonial Pipeline Company in 2021 that caused fuel shortages across the U.S. Hackers accomplished that with the use of a single password.1 Or the Solar Winds attack that exploited a routine software update and compromised about 100 companies (including Microsoft, Intel and Cisco) and about a dozen government agencies including the U.S. Treasury, Department of Justice, Department of Energy and the Pentagon.2 Or the 2021 data leak that exposed personal data belonging to more than 100 million Android users due to misconfigured cloud services.3

What is Zero Trust?

In 2010, Forrester research analyst John Kindervag introduced a new concept, which he called “zero trust.”4  In a nutshell, his concept rearranged the old maxim “trust but verify” into “never trust, always verify.” That means continuous identity verification of users, whether they are inside or outside your network perimeter. It requires monitoring of their activity to detect any unusual work patterns or areas of access, and the same for all devices being used. 

Zero trust assumes that every user and device is a potential threat until proven otherwise. That sounds extreme but, unfortunately, it’s necessary. Assuming otherwise based on recognizing passwords, users and devices that have previously accessed your infrastructure before can cost you dearly. 

Traditional Edge Security Solutions Are No Longer Enough

With the expansion of organizations’ infrastructures beyond the walls of buildings and into hybrid deployments including multiple public and private clouds, infrastructures are now essentially edgeless. So, traditional perimeter solutions are becoming less and less effective. Data breaches and other malicious exploits can be devastating. Consider the following: 

  • A cyberattack occurs every 39 seconds5
  • Data breaches exposed 22 billion records in 20216
  • The average cost of a data breach in 2021 was $4.24 million – the highest average on record7
  • 34%of data breaches in 2018 involved internal actors8
  • It took an average of 287 days to identify a data breach 9
  • The average time it took to contain a data breach was 80 days 10
  • By 2025, global cybercrime is estimated to cost $10.5 trillion per year, increasing by 15% year over year11
  • 68% of business leaders feel their cybersecurity risks are increasing12
  • On average, only 5% of companies’ folders are properly protected13
  • Organizations with a zero-trust approach saw average breach costs of $1.76 million less than organizations without14 

What Can You Do To Implement Zero Trust?

We don’t want to ignite paranoia across your organization, but it’s important to understand that effective cybersecurity requires constant vigilance.

Here are some more fleshed out principles you can use as you consider how to implement a zero trust strategy across your IT infrastructure:

  • It’s critical to increase vigilance, employing automation wherever possible given the ever-growing number of bad actors working tirelessly to penetrate IT enterprises that now have so many more attack surfaces.
  • Grant users and devices “least-privilege” access to your entire infrastructure and review and update those privileges only as often as necessary.
  • Assume all attempts to access your IT infrastructure are potentially threatening.
  • Authenticate, authenticate, authenticate. One time authentication that then allows users and devices to roam freely around your infrastructure is an open door to trouble.
  • Secure your data at all times – at rest, in transit and in use.
  • Regularly review your cybersecurity policies and analyze and update them as threats require.

Zero Trust Is A Framework, Not A Product

While it would be convenient if there was a single zero trust product that could be quickly and easily deployed, that’s just not the case. Zero trust is a framework, not a product. It lays out a number of tenets that, when vigorously applied, can significantly reduce damage to your organization and reputation.

Understanding what zero trust is and how its underlying principles can apply to your organization is an important step forward toward a more secure IT infrastructure. From there, you can create a multi-disciplinary team including data security, network security, user and device authentication and other pertinent experts to create a zero trust implementation to protect your ever evolving IT enterprise.

You may need outside assistance with such an initiative and there are companies that focus on the various types of capabilities that together can deliver zero trust security solutions. You can find some on CoreSite’s IT Service Provider Marketplace, including:

However you choose to proceed, the key to success is to get started now (if you haven’t already) and to make zero trust a top priority.

1. 166 Cybersecurity Statistics and Trends [updated 2022], Rob Sobers

2. A 'Worst Nightmare' Cyberattack: The Untold Story of The SolarWinds Hack; All Things Considered, NPR

3. 166 Cybersecurity Statistics and Trends [updated 2022], Rob Sobers

4. Zero Trust Security Model – What is Zero Trust?, Akamai.com

5. Study: Hackers Attack Every 39 Seconds, University of Maryland

6. Risk Based Security; 2021 Year End Data Breach QuickView Report

7. How Much Does A Data Breach Cost In 2022, IBM

8. 2019 Data Breach Investigations Report, Verizon

9. Cost of a Data Breach Report 2000, IBM

10. Ibid

11. Cybercrime to Cost The World $10.5 Trillion Annually By 2025, Cybercrime Magazine, November 13, 2020

12. The Cost of Cybercrime, Accenture with the Ponemon Institute, 2019

13. 166 Cybersecurity Statistics and Trends [updated 2022], Varonis

14. Ibid

Scot Hartman

Scot Hartman

Senior Director InfoSec and IT Operations

Scot is Sr. Director of Information Security and IT Operations at CoreSite and has more than 25 years working in IT, including information security, network architecture and data center operations. 

Read more from this author

Subscribe to CoreSite

By submitting this form, you agree to receive these communications at your provided email address. See our Privacy Policy for more details or click here to change your preferences and to opt-out at any time.