Can Zero Trust Fix What’s Wrong with IT Security?

Zero Trust is receiving the lion’s share of attention this year as a strategic way to architect access to your critical business resources. It is one of the top two researched security solutions and also the area where there is the most future spending opportunity, according to IDG’s latest Security Priorities Study.

Dr. Chase Cunningham of Forrester defines Zero Trust as…

“…strategically focused on addressing lateral threat movement within an organization’s infrastructure by leveraging microsegmentation and granular enforcement, based on user context, data access controls, application security, and device posture.”

That’s sound in theory. But what’s driven Zero Trust to prominence – not just in the media, but in the board room and among IT security professionals – over the past year?

Simply put, IT security is broken. According to the 2019 CyberEdge Group Cybersecurity Report, an astounding 78% of IT security professionals surveyed say their organizations have suffered successful cyberattacks.

It’s not that hard to understand why security is broken. Legacy security infrastructures, many of which are based on technologies that date to 20 or 30 years ago, weren’t architected to address the complex threats facing hybrid enterprises today. The attack surface has changed dramatically – and not for the better – in the decades since many of these solutions were first rolled out.

Vendors try to keep up, but they are hampered by their own existing products – their cash cows. They really can’t walk away and start over. So they try to build on what they have, but that’s slow and very difficult because threats today are very different from threats of years ago.

Let’s break down what’s wrong with IT security architecture today:

  • Defensive Perimeter Focus – For many organizations, there is little to no segmentation across their infrastructures. In theory, at least, they are protecting their resources from evildoers in the outside world. But once inside the network, users can connect directly to application and data resources without the benefit of a security layer between the users and the resources. That’s a big problem when more than 80% of attacks rely on compromised credentials – whether hackers have gained them through phishing attacks, malware or brute force, they are attacking you with valid user credentials. Once inside your perimeter, they own your resources.
  • Identity as Security – Too many organizations still rely on usernames and passwords alone for security, whether it’s for local applications or cloud resources. Identity alone is not security – if you are in this boat, you’re ripe for attack and you’ll sink fast. Credential-based hacks aren’t going away anytime soon, simply because they succeed way too often.
  • Too Many Gates, Not Enough Guards – Most organizations have far too many ways to gain access into their infrastructures. These gates to application resources are “guarded” by multiple security products – VPNs, Web Gateways, SSL/VPNs, MDM solutions, and whatever your cloud providers require, just to name a few. Each represents yet another attack vector to protect, analyze, patch, and keep up to date. That requires a ton of expertise – something in short supply, with Cybersecurity Ventures reporting 350,000 open cybersecurity positions vacant in the U.S. alone. Chances are pretty good your organization doesn’t have the staff to keep up.
  • Lack of consistency – Each way organizations provide access to resources often requires its own complex set of credentials, processes and security policies – all of which frequently change. That’s why there are yellow stickies with usernames and passwords on desktops around the world. Why do we continue to place the burden of security on our end users? Is that really who you want to have primary responsibility for IT security within your organization?
  • Who’s there? With all the different security products from multiple vendors, it’s not surprising most organizations don’t have a clue about who is accessing their network. Most of these disparate solutions don’t even talk to each other. Bet you can’t run a single report that shows who accessed what in your enterprise.

So those are all the gaps, and they’re pretty bad. Just how bad? According to the 2018 BDO Cyber Governance Study, ransomware attacks were up 350% in 2017; spoofing and business email compromise attacks increased 250%; and spearphishing attacks were up 70% and are increasing.

Now, let’s look at how Zero Trust access changes the IT security game:

  • Microsegmentation – Every resource is accessed only by going through the Zero Trust solution. This reduces the ability for lateral movement to other applications if someone gains access with compromised credentials. This applies for users inside and outside your infrastructure.
  • Granular control – Since a Zero Trust infrastructure controls access to each resource, you can put robust security policies in place for access to each resource, local or cloud.
  • Context of Access – You can gauge the specific environment of the access request (user, device, device security posture, operating system, location and much more) to determine whether a user should gain access to each resource.
  • Consolidation – Instead of multiple different methods of access, you provide one way to get in the door. Properly done, a Zero Trust architecture dramatically simplifies and strengthens your security posture and provides a more dynamic and flexible architecture for your business.
  • Simplified access – Zero Trust offers a significant business and technical advantage by making it easier for end users to access all the resources they need to do their jobs. Instead of requiring multiple ways to access various resources, users now need only one set of credentials and one method to gain access – regardless of device type, location or where the resource resides.
  • Increased security – By consolidating disparate solutions into a Zero Trust solution, you gain centralized control over your infrastructure, consistent and stronger security policies, and you significantly minimize your attack surface.
  • Full audit and reporting – One of the most important benefits of Zero Trust is the ability to report on everything within your infrastructure, including the cloud. You know who got access to what resources, what device they used, the security posture of that device, etc. You can continually strengthen your security posture, identifying trends and individual events that shine the spotlight on areas that need attention.

As you can see, Zero Trust access streamlines and strengthens your security, gives you new-found control over your infrastructure, and makes access easier for your end users. It’s time to trust Zero Trust architecture to get the IT security job done right.