Traditionally, the security approach was a castle approach wherein, everything and everyone inside can be trusted and the primary focus is investing in controls that either protect the systems or the networks.
This kind of an approach has a few fallacies. If you look at the landscape, most modern attacks are inside out. The trusted systems bring the attackers inside with them and the systems are compromised in any one of the zillion ways. Smart devices and shadow IT are other vectors which are not accommodated in this approach. This implies, devices is no longer the border, the user’s identity and data are the new borders.
What is Zero Trust?
The key principle of Zero Trust, network is always hostile. Internal threats exist, along with external threats in the network. Every device and user must be authenticated and authorised. Policies must be dynamic and enforced on all assets. These policies need to be implemented on individuals, workloads, networks and devices. Irrespective of the location, all information must be secure. The challenge is to initially discover the critical data since is so dispersed in today’s enterprise. The identity of the user must be checked and all network traffic must be registered and analysed. Never trust, always verify!
Zero Trust is a framework, it’s not a thing or a product you can buy. It is an application and user centric security and not infrastructure centric security. Zero Trust allows the security to be dynamic and evolving with the changing times, which is the best part, a security that is designed inside out along with increased flexibility and productivity for staff as well as contractors.
Moving to cloud is a responsibility for securing data and infrastructure, cloud is nothing but a substitution of your infrastructure and applications which are provided by an ISP or MSSP. Hence, it introduces a lot more threat vectors today, so corporations need to be more vigilant about the business risks which are introduced in your eco-system while moving into cloud.
Its an architecture that can manage data agility, cloud and serverless applications; it’s a business enabler but more importantly, is an architectural state of mind. The complexity must be minimised and there should be no security gaps; for example, there should not be any security discrepancy in internal and external networks. Policies should be more data-centred and safeguard data from inside and outside of the network.
Get proactive on Zero Trust
Existing approaches have been revealed as fundamentally inadequate in today’s work-from-anywhere environment, exposing the company to unnecessary risk by providing too much access and too little accountability. At an unprecedented pace, malicious threat vectors take advantage of this. Zero Trust protection model and the current business and risk environment fit with an application-focused approach to access.
By Samir Chopra, CEO and Founder, RNS Technology Services.