News

Zero trust model key to security success, says Forrester

Warwick Ashford

In most companies, the principles of network confidentiality, integrity and availability are not balanced at all, says John Kindervag, principal analyst at Forrester Research.

“Availability is almost always more important than the other two because that is what service-level agreements (SLAs) are built on,” he told Forrester’s forum for risk and security professionals in London.

“What is worse, ‘confidentiality’ more often than not becomes ‘compromise’ and in many cases businesses are not even aware,” Kindervag said.

Studies have shown that between 66% and 90% of data breaches are identified not by organisations that are breached, but by third-party organisations.

A related problem, said Kindervag, is that availability is often mistaken for security. “Because there is good network availability, businesses assume there can be no compromised to security,” he said.

The disconnect between the security and network operations teams is at the heart of the problem, said Kindervag, because their incentives are not aligned.

“But the world has changed and we cannot carry on doing things the way we did in the 70s and 80s,” he said.

Kindervag said the most important thing that organisations need to understand is that the focus should no longer be on the network but on the data, and on how to deliver the right data to the right person on the right device in a secure way.

A new “zero trust model” is the key to security success, according to Kindervag because it identifies that the fundamental problem with the old way of doing network security is treating anything outside the network as “untrusted” and everything inside the network as “trusted”.

With aging networks due for a refresh, he believes this presents the opportunity to not only redesign networks for today's critical workloads and technology transformations such as virtualisation, but also to take a unified approach to both networking and security.

In a “zero trust” approach, networks are designed to enable segmentation of resources and access monitoring, but to also share functionality and global policies.

“Segmentation is based on how data is being used, which enables the aggregation of similar virtual machines and the ability to secure virtual machines by default,” said Kindervag.

This approach enables organisations to protect certain key data types, but at the same time it is extensible and flexible, while allowing essential controls to built in, he said.

“This approach allows all users to access the network, but not all users to access all data, thus enabling mobility, high availability and the use of cloud infrastructures without compromise to security,” said Kindervag.

Improved communications between the network operations and the security teams is essential for implementing this approach, he said, as is education and training around the concept of zero trust and aligning incentives for all teams involved.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy