The cyber security industry has been talking about a zero-trust approach to security for just over a decade, but now it’s time to move towards full implementation because it is more appropriate than ever, and it is rapidly gaining support from suppliers
Several key trends are driving innovation and change in the cyber security market as software, hardware and service providers seek to respond to the changing cyber security needs of businesses operating in a highly competitive global market.
The active adoption of a zero-trust approach to cyber security is one of the greatest of these trends in a rapidly digitising post-Covid world because as users, devices and application workloads move outside the confines of the corporate network, the traditional model of enforcing security at the network perimeter is no longer appropriate.
Organisations are increasingly understanding the importance of adopting an approach to security that ensures data can be accessed by those who need it to do their jobs, regardless of where they are working, while also ensuring the data is protected by enforcing security policies.
Zero trust fits modern cyber security requirements
Zero trust is the most relevant security model in this regard. It fits today’s security requirements well and is growing in popularity. Although the concept of zero trust is not new, it is finally an established paradigm for cyber security thinking in which breach is assumed and all identity and access must be verified.
“In the zero-trust model, no user or device is trusted just because they have been allowed onto the network. Instead, strict user and device authentication and authorisation is required throughout the network to verify the identity and access rights of the person or entity requesting access”
Warwick Ashford, Kuppinger Cole
In contrast to the traditional model, where all users are trusted once past the network perimeter, in the zero-trust model, no user or device is trusted just because they have been allowed onto the network. Instead, strict user and device authentication and authorisation is required throughout the network to verify the identity and access rights of the person or entity requesting access.
Zero-trust security is about granular authentication and contextual authorisation for every request in an environment, whether on-premise, in the cloud, or hybrid, with runtime evaluation of user, device, app and data attributes against access control policies. It is the embodiment of the principle of least privilege by limiting access to only those who require it to do their work, thereby reducing the opportunity for hackers to move laterally through networks.
A survey by KuppingerCole revealed that zero trust was the top concern in 2021 for most information security professionals polled.
Dynamically secures connection between user/device and resource/app.
Makes it easier to provision and enable multicloud hybrid IT access security.
Reduces security threats and lateral attacks within networks.
Improves compliance auditing and insight into access activity.
Zero trust meets SD-WAN
As the working environment becomes more mobile and reliant on cloud applications and data storage, organisations are seeking to apply the zero-trust approach more widely to include branch locations, mobile workers, and internet of things (IoT) and edge deployments.
As a result, a growing number of organisations are embracing or considering a new approach to networking and network security that combines several cloud network and cloud security functions, and delivers them as a single cloud service directly to user devices, branch offices, IoT devices and edge nodes to reduce latency cause by backhauling. This approach is commonly referred to as the secure access service edge (SASE) cloud architecture.
SASE combines software-defined WAN (SD-WAN) capabilities with zero-trust, secure web gateways, cloud access security brokers, firewall-as-a-service, identity as a service (IDaaS), and other security technologies into a single platform. Such platforms are aimed at addressing the need for organisations to enable consistent, dynamic, secure access to sensitive data and applications on an internet scale.
Zero trust meets remote working
The usefulness and importance of the zero-trust approach to security has increased as IT environments have become increasingly distributed.
In the post-Covid era, we expect to see an accelerated adoption of the zero-trust model and SASE services as remote working becomes more common and widespread. A growing number of people will be working remotely, accessing corporate resources and cloud computing services via home Wi-Fi and the internet using privately owned devices and untrusted networks.
The publication of a roadmap for implementing zero trust by the US National Institute of Standards and Technology (SP 800-207) is also expected to help drive adoption by organisations faced with a growing number of compliance requirements to implement “reasonable” security procedures and practices.
Although zero trust is a framework and not a single product or service, cyber security suppliers are increasingly adapting and expanding their product and service offerings to support the adoption of a zero-trust approach, by introducing new platforms, combining existing offerings and even making strategic acquisitions. There is also a growing number of SASE services becoming available.
The relevance and impact of the adoption of zero-trust security can be summarised as follows:
The zero-trust approach to security applies to all organisations seeking to improve security for increasingly distributed workforces and enterprises.
Zero trust is a key architecture paradigm when it comes to securing future computing environments, and enforcing the principle of least privilege based on the assumption that every network, device, and user is hostile.
The impact of zero trust will be to improve security by reducing the risk of unauthorised access and associated data breaches.
As zero trust becomes more common and widespread, there will be an increasing expectation by regulators, partners and customers for organisations to implement this approach to security.
Technology providers are likely to see an increase in demand for security products and services to adhere to and support a zero-trust approach.
Recommendations
In the light of the shifting cyber security requirements in a world that is increasingly becoming digital, distributed, mobile and cloud-based, end user organisations should:
Adopt zero-trust principles to enable workers to access cloud-based and on-premise services securely.
Evaluate their existing set of security tools in terms of support for zero trust, fill in any gaps, and retire any tools that do not support zero trust.
Plan all new networking projects to support the SASE cloud architecture in future.
