You are here

You are here

Zero-trust security: How to make everyone an outsider

public://pictures/Robert-Lemos-Technology-Journalist-Lemos-Associates.jpg
Rob Lemos Writer and analyst
 

In March 2020, the coronavirus pandemic forced nearly every company that could to move employees to work remotely. In the United States, more than half of workers moved to remote work, compared to only 15% prior to the pandemic, according to a nationally representative survey conducted by the Massachusetts Institute of Technology, Upwork, and Stanford University.

Security issues soon followed. Coronavirus- and COVID-themed domain registrations grew, surpassing 100,000 in the first quarter of 2020. Employees clicked on risky URLs 49% more often. Virtual private network (VPN) appliances became the target of vulnerability researchers and attackers, with multiple critical vulnerabilities found in products from Citrix, Palo Alto Networks, and Pulse Secure. 

The situation has focused a lot of company leaders on speeding to a zero-trust model. About 80% of companies are considering implementing zero trust for security, while 70% aim to find ways to speed deployment.

Zero trust takes a "trust no one, trust nothing" approach to security. Even users with a valid username and password, for example, trying to access the system from a new device or new location could have their access challenged. What's more, their actions on the network will be monitored for unusual behavior. 

It's evolution that has been going on since 2016, and now zero trust is the only strategy that makes sense, said Chase Cunningham, vice president and principal analyst at business intelligence firm Forrester Research.

"You can't trust what is outside your perimeter—and now, all of your employees are outside your perimeter."
Chase Cunningham

The massive move to remote work is not the only trend affecting the adoption of zero trust. For the past few years, other trends have resulted in more awareness, and greater adoption, of the zero-trust model.

Here's the state of zero trust security, and the trends shaping it.

Cracks in the perimeter, stress on VPNs

Companies that continue to focus security on the perimeter are struggling. Even before the workforce became highly distributed, remote workers were required to connect to the corporate network over a VPN, often only to connect back out to a cloud service. This caused unnecessary congestion and affected user productivity.

With half of employees now working outside company perimeters and companies moving more applications into the cloud, the inefficiencies of "tromboning" data to the corporate network have become far more dire, said Rik Turner, principal analyst of cybersecurity at research house Omdia.

"So you have both the end users and the applications moving off premises—the apps to the cloud and the people to work-from-home, but you are still connecting back to the network first, and VPNs are no longer keeping up. It's just way too inefficient."
Rik Turner

More devices, more zero trust needed

While remote work has put the wind in the zero-trust sails, other trends have made the security model necessary. Specifically, this involves a huge increase in the work done on non-desktop devices—whether a laptop from home, a smartphone while traveling, or an IoT device—that need to be controlled or monitored.

We should be thankful there are tools that exist to allow secure, zero trust-enabled remote technologies right now, said John Kindervag, field chief technology officer at Palo Alto Networks.

"If they didn’t exist, the economic devastation of COVID-19 would be overwhelming."
John Kindervag

The US Department of Defense identified this problem over the last two decades, noting in a position paper published by the Defense Innovation Board that the expanding number of endpoints, remote access, and adversaries' ability to circumvent perimeter security measures demands a different approach to security.

"This network expansion and adversary creativity requires increasing numbers of firewalls with complex inspection specifications, which is cost-intensive with diminishing returns," the authors wrote. "Perimeter security rapidly devolves into a game of 'whack-a-mole,' where firewalls must constantly be adjusted to account for an expanding set of authorized entrants into the network and acceptable traffic in and out of the network."

Digital transformation drives adoption

In 2018, the concept of digital transformation took off. Companies sought ways to use the cloud, distribute workloads, and take advantage of all of their operational data to gather insights and inform their actions. A distributed information infrastructure becomes impossible to secure with a perimeter-based approach and requires an approach such as zero trust to stay secure, said Kieran Norton, infrastructure solutions leader at consultancy Deloitte.

"Going forward, post-COVID, certain factors will continue to drive a zero-trust model. Clearly, there is a going to be a greater emphasis on digitizing the business and embracing remote work, because you never know when this will happen again."
Kieran Norton

The pursuit of transforming the business also requires security to be transformed as well. When corporate IT assets run on public cloud infrastructure, companies need to apply the principles underpinning zero trust to maintain visibility and control the security of applications and data, said Forrester's Cunningham.

"When you are moving to the cloud, you are getting to a zero-trust state, but people need to know that they are aiming for that model to most effectively create it. For zero trust, the cloud is a greenfield environment."
—Chase Cunningham

Because zero trust focuses on securing devices, workloads, and data no matter where they are hosted or reside, the approach will only gain traction in the post-pandemic business world, said Deloitte's Norton. Yet, zero trust is not exclusively about the cloud.

"It is not cloud-dependent, but it is cloud-convenient."

Keep learning

Read more articles about: SecurityIdentity & Access Management