The cybersecurity risks posed by the COVID-19 pandemic’s disruptions and ever-growing network complexity have certainly not gone unnoticed by executives.
In a recent Deloitte survey of C-suite executives, 72% said their organizations experienced between one and 10 cyber incidents and breaches in the last year alone. This type of persistent threat – and the inability of organizations to prevent cyber break-ins from happening – is more than enough to foster a deep sense of distrust among executives.
To trust, or not to trust
That sense of distrust is likely a major reason why the term “zero trust” has so much appeal to frustrated CEOs and CFOs: They have in fact lost trust in everyone and everything in their network. When they hear simple refrains like “never trust, always verify,” executives are all-in and instruct their security teams to go make it happen — ideally sooner rather than later.
For information technology managers and security professionals, however, zero trust often evokes a different emotion: hate. The chief executive officer loves the concept because of its relative simplicity and wants to move forward, but the reality is that figuring out how to implement zero trust is anything but a simple endeavor.
It requires a fundamental shift from guarding the network perimeter exclusively to a security model where internal and external users alike are repeatedly checked and authenticated before they are allowed to have access to a given resource. It’s as much a shift in philosophy as it is about incorporating new technology.
But whether zero trust brings feelings of comfort or despair, there’s little question that it represents the future of network security. We now live in a hyper-connected world where the concept of a perimeter has essentially dissolved for most modern enterprises.
Moreover, threats are becoming increasingly sophisticated. Outsiders testing outer firewalls for a way in have been replaced by targeted phishing attacks, malware and other techniques that can be used to turn an insider – a trusted user or application – into an attack vector. The most impregnable outer security perimeter can do little to guard against such threats.
Cities, not castles
In the past, networks were like castles, but in an era of the “internet of things” and remote work, networks are more like cities where security teams have to think like mayors, not feudal lords. Mapping, coordination and preparation now take precedence over building stone walls. And this is at the heart of the challenge facing organizations looking to make the move.
Although zero trust has value across all industries and sectors, there is no one-size-fits-all solution. Zero trust requires a multiyear commitment to identify relevant business drivers, existing capabilities, and the most relevant use cases. It requires working through multiple layers including workforce security and trust, devices, data and applications as well as the network itself.
Unlike a pure technology solution, zero trust also requires broad culture change. For this reason, organizations need to look past technology and embrace softer factors like communications, training programs, awareness and operational process adjustments. Strategies must also be aligned to the business and fully supported by leadership and key stakeholders.
Coupled with the growing interest and recognition of the need for zero trust have come new tools and solutions designed to give organizations an easier onramp to zero trust environments. The latest tools can extend protection all the way from users to workloads and span cloud and on-premises networks.
The hard work involved with understanding applications and users doesn’t go away, but the implementation aspects are starting to become more streamlined. Ultimately, the goal is for visibility and enforcement to extend fully across every point of connection on the network.
Even though zero trust is a deceptively simple concept – trust no users, devices or applications – creating the underlying architecture to support it is no trivial effort. Love it or hate it, zero trust nonetheless points the way forward to a more secure future.
Kate Adam is senior director of security product marketing at Juniper Networks Inc. She wrote this article for SiliconANGLE.