Zero Trust: a matter of trust for a world without perimeters
The classic approach to corporate security has traditionally been based on three factors: that all devices used to access resources belong to the company, that all users, equipment and applications are in a specific and predictable place, and that all corporate systems can trust each other. However, over the years, we know that this approach is not enough. The increase in remote work, the relocation of users , the increase in cloud applications or the increase in collaboration are just some of the ingredients that make another approach necessary, another security model.
The invisible line that we draw between what belongs to the company and what does not (servers, desktops, applications or access), traditionally depended on technologies that protect the network or the device.
But you only have to look at some of the latest cases of cyberattacks and security incidents that have affected all kinds of companies to realize that this is not enough.
The perimeter is becoming more and more fuzzy , sometimes even non-existent, so we should think of it as any place where an access control decision can be made. This is one of the bases of the Zero Trust model, which makes us question our decisions every time there is an access attempt.
This philosophy is built on other fundamentals, such as the relevance of visibility and information to produce security policies, taking into account that ownership is not synonymous with control or that access decisions are based on reestablishing trust over and over again. .
Additionally, the implementation of this model makes security transparent for the user who uses the technology, in addition to providing simplicity, minimizing efforts through automation, orchestration and integration.
The Zero Trust model enables greater visibility across users, devices, containers, networks, and applications by verifying the security status of each access request.
In this way, it is possible to reduce the organization's attack surface , segmenting resources and guaranteeing only the necessary permissions and traffic.
In short, make it more difficult for attackers so that they do not obtain what they are looking for : credentials, access, moving laterally through systems...
Users can achieve a more productive and secure experience no matter where they are physically, what devices they are using, or what applications are on-premises or in the cloud.
Absolute security has always been an impossible goal, but we need to adopt new frameworks that really minimize the risks. We live in a world transformed by digitization, which has created a dynamic environment. These factors must be taken into account.
In fact, in the latest report "Global Threat Intelligence Report 2021" by NTT, it is pointed out that a 300% increase in attacks directed by different sectors has been detected, largely due to the digitalization process of companies, the teleworking and remote access.
Check and keep checking
In this context, rapid digitization has also increased this attack surface susceptible to cyberattacks . The rapid adoption of cloud services and applications is also influencing the type of attacks and vulnerability exploits that are going to be seen.
Phishing attacks, for example, have traditionally exploited one of the company's vulnerabilities: human behavior.
The rise in phishing attacks has been significant over the last few months and years, as well as ransomware attacks via a user's device, unaware that they have downloaded malware from an email attachment or link.
A risk that has continued (and will continue) to increase with the scaling of this type of service through connections from multiple places.
The objective for companies is to continue raising awareness in these matters among employees, while providing security solutions that prevent this type of incident.
And it is that, another of the main challenges is that without early detection, visibility or continuous verification, once an attacker has gained access, we are assuming that we can trust him.
In this environment, sophisticated attackers have time to plan more dangerous attacks. In this scenario, it is vital that a continuous verification model is applied.
Protecting the entrances
Is the user who they say they are? Do you have access to the right applications? Is this device safe? Is trustworthy? Organizational security teams must be able to answer these and other questions to establish trust and allow access to corporate resources. But in addition to this, they need to do it using an approach that balances security and usability.
In this regard, it is interesting to consider certain elements in the implementation process of the Zero Trust model to secure employees.
Zero Trust and security by design
By maintaining trust in your site, you take a lot of uncertainty out of protecting your infrastructure from all potential threats, including all mobile devices. A vital aspect to take into account. In fact, the latest Cisco CISO Benchmark Study highlights that more than 52% of companies admit that mobile devices are extremely difficult to secure.
Zero Trust is a forward-thinking, pragmatic model that can help build effective security across the architecture—from the workforce, to workloads, to everywhere.
A model that fits perfectly, and should be implemented, also adopting a security-by-design approach . including safety as a fundamental element from the base in all processes.