Zero trust remains one of the best ways for companies to reduce total risk. By knowing the potential risk of any request — both inside and outside the enterprise network — rather than assuming good intentions, companies can limit potential attacks.
Deploying a zero trust framework at scale, however, may cause frustration. It increases operational complexity and reduces overall productivity even as it boosts security. But with the majority of staff members now working from home — and many likely to remain at least partially remote in the future — zero trust is more important than ever.
So, what does this model look like? How do enterprises find a balance between speed and safety to help reduce the friction of zero trust initiatives — all without increasing risk?
What is Zero Trust?
Never trust, always verify. This is the essence of zero trust.
According to John Kindervag, creator of the zero trust model, the framework offers a simple way for companies to improve overall protection.
“When every user, packet, network interface and device is untrusted,” he says, “protecting assets becomes simple.”
As noted by IBM Vice President and CISO Koos Lodewijkx, however, zero trust environments are now evolving. Zero trust is no longer something enterprises have, it’s something they do.
Learn more on zero trust
Three Components of Zero Trust
In practice, this means creating a culture of zero trust that puts security over speed when it comes to approving access requests or granting data permissions. To achieve this goal, think of these three key components:
1. Architecture
Network design is essential for zero trust success. Specifically, companies must prioritize the development and deployment of microsegmented network architectures that both limit the scope of potential compromise and make it easier to manage zero trust solutions.
2. Assessment
Effective assessment of user behavior within the zero trust landscape is also critical. Many security systems now include effective two-factor authorization and other verification tactics. But enterprises must also integrate behavioral assessment — such as users logging in from a new location outside normal working hours — to reduce total risk.
3. Automation
Expanding cloud and mobile networks make it impossible for even expert teams to keep pace with potential threats. As a result, automation of front-line tasks with solutions such as machine learning or robotic process automation are critical.
The challenge? Maintaining the essential simplicity of zero trust while addressing the need for a more in-depth approach to protect evolving networks.
Why Remote Work Lends Itself to Zero Trust
The need for effective and efficient zero trust has never been greater. Security risks are on the rise, Forbes notes. With business leaders focused on making sure their staff are equipped with the right tools and tech to do their jobs, infosec gaps will appear.
Remote work itself also poses challenges for companies used to the familiar frameworks and connective confines of on-site networks.
Anytime, Anywhere, Any Device Access
The pandemic means companies now allow users to access corporate networks anytime, anywhere. And there’s no putting this approach back in the box. Employees and consumers are now used to this level of access. From a defense perspective, however, the sheer volume of access points presents a zero trust minefield.
Shifting Attack Surfaces
The move to remote work has caused a major shift in attack surfaces. With remote work and collaboration apps now essential to enterprises, threat actors found an entirely new world to exploit.
Hybrid Work Hangups
According to a recent PWC survey, while 75% of employers expect at least half of their staff will be back in the office by July 2021, just 61% of employees say the same. No matter how it all shakes out, however, the fact remains that hybrid work — the need for both in-office and at-home access — isn’t going away. From a zero trust perspective, however, there’s potential for hybrid hangups as network protection needs double.
Bigger Phish to Fry
Phishing and ransomware attacks are also on the rise. Cyber criminals look to combine social engineering and crisis operations to compromise business emails, deploy malicious code and even take advantage of users with fake vaccine campaigns. With attackers now casting as many lines as possible into corporate IT pools, robust zero trust is more important than ever.
How Context Reduces Frustrating Complexity
For Aarti Borkar, vice president for IBM Security, context is critical to effectively deliver on the potential of zero trust. While “never trust, always verify” forms the foundation of up-front zero trust access solutions, she expands the definition to include the key component of verification, noting “the right person, the right data, the right time, the right context makes all the difference in the world.”
This means getting the bigger picture when it comes to trust-based decision making. By going beyond login and resource requests to consider the larger context of user operations — such as where requests originate from, what time they occur and how the data is being used — enterprises can create zero trust models that are permissive where possible and restrictive where needed to offer both performance and protection.
For Borkar, this context is critical to help companies move from perceived trust to quantifiable trust. In effect, it creates a framework where trust is earned, rather than assumed. It sets the stage for reduced friction and complexity without reducing security.
The Human Element
She notes that outside the world of digital defense, human connections are governed by trust. Over time, both specific people and the data they provide can establish a framework of trust based on context. When it comes to IT security, meanwhile, enterprises don’t always have the luxury of interacting with users at an individual level.
Instead, context is based on a users’ specific role within the organization, the current projects they’ve been assigned and what resources they need to complete day-to-day tasks. In addition, behavioral information such as when and where users commonly log on and access key systems can also be used to help contextualize trust. The result?
“When we get down to the specifics of ensuring the right people can get to the right data, which inherently means that the wrong people can’t, and the right people can get access to only the data that matters to them, and then we’re looking at the circumstances and the timing of when they access that data, it starts making this construct of trust that we have a bit more quantifiable,” Borkar says.
Zeroing in on Context
Zero trust offers a way for enterprises to embrace the hybrid work expectations of 2021 without compromising critical protection. The caveat? Context.
To deliver on the dual potential of simplicity and security, companies must deploy context-first frameworks that ensure the right people have the right access to the right data at the right time — and for the right reasons.