Steve Singer, Regional Vice President and ANZ Country Manager, Zscaler, tells us how IT leaders can achieve effective security with Zero Trust.
The past two decades have seen astounding progress made in all areas of Information Technology. From the rise of the smartphone and cloud computing to exponential increases in processor and storage capacities, IT’s role as a critical business enabler has never been more evident.
However, during the same period, the power of cybercriminals has also increased. As a result, cyberattacks have skyrocketed, resulting in significant disruptions and losses.
Zscaler’s 2022 ThreatLabz Phishing Report showed a dramatic 29% growth in overall phishing attacks compared to previous years, with retail and wholesale companies bearing the brunt of it. At the same time, the report also showed an emerging reliance on Phishing- as-a-Service methods, as well as new attack vectors, such as SMS phishing, becoming one of the more prevalent methods of intrusion.
In response to this deteriorating situation, growing numbers of organizations are adopting a security strategy known as Zero Trust whereby all traffic is deemed Zero Trust traffic, identity and context always come before connectivity and applications, including app environments, should remain invisible to authorized users.
This strategy comprises a set of security principles based on the idea that reducing granted trust for access will lead to greater assurance of authorized identity.
In a Zero Trust environment, cybersecurity is attuned to the way people work. It becomes data-centric, and authorization is based on identity and context rather than tied to a device.
Zero Trust adopts the philosophy that all data moving across a corporate network should be viewed as being potentially hostile. Nothing is trusted, and access should never be granted based on the assumption of trust.
Least-privileged access
At its heart, Zero Trust principles assume all data represents a potential threat. As such, any authorization to progress forward with work requires disproving the premise that the data was already compromised. This contrasts with legacy security infrastructure and standard processes that extend privileges based on fallible factors such as machine identification using an IP address.
Direct connectivity
Direct connectivity is a fundamental feature of Zero Trust security. Users connect directly to the application or resource they need to use at that moment. Once the utility is served, the connection is discarded. Each use of the application or resource requires subsequent reconnection and reauthorization. In this way, connectivity can be considered almost disposable, and a means to an end rather than the end itself.
Corporate systems remain obscured
Cybercriminals can only attack what they can see, and, unfortunately, most enterprises still expose IP addresses to the open Internet. However, systems are not visible to the outside world in a Zero Trust environment. This is because Zero Trust mandates inside-to-outside connections and blocks outside-to-inside connections. In this way, the attackable threat surface is significantly reduced.
The Internet is the new corporate network
Zero Trust leverages the Internet as a communications backbone. Users connect to applications or resources via the Internet, with cybersecurity delivered immediately at the cloud edge. Zero Trust dissociates connectivity from the physical network, so the Internet replaces the corporate network, thereby reducing corporate reliance on costly LAN and WAN infrastructures.
The attraction of trust
A Zero Trust strategy is appealing for an IT security team battling against a rising tide of attacks. With attackers regularly exploiting trust to gain access to IT infrastructures, minimizing this trust to ‘zero’ significantly lowers the risk of a cyberattack.
Yet, despite its clear advantages, the concept of Zero Trust was ahead of its time, and commercial adoption was very slow. Zero Trust clashed with a damning indictment of legacy network security models back then. While Forrester Research introduced the new Zero Trust information security model in 2010, it wasn’t until 2020 that a Microsoft survey found that 94% of respondents had embarked on a Zero Trust strategy.
After all, security based on machine identification and network access could still protect an enterprise. However, it became increasingly clear over the decade that legacy security architectures could not be readily scaled or easily re-engineered to accommodate a dynamic, follow-the-data security model. In that type of environment, access is granted via hardware gateways. More challenges means more hardware stacks housed close to users, applications and data processing.
Significant changes to how trust is handled weren’t possible because infrastructure couldn’t scale to support it. More than a decade later, the cloud makes Zero Trust practical in the form of a Zero Trust Architecture (ZTA).
In a world where remote working has become a widespread trend, IT resources are located in a range of different places, and cybercriminals are mounting more sophisticated attacks than ever, the case for Zero Trust has never been more compelling. Taking time to put a strategy in place is one of the most effective security measures an organization can take.