The majority of security architectures in use today were built to protect users who worked in a corporate office, and applications and data that resided in a centralized data center. But the world has changed, and securing users, data, and applications is more complicated than ever. Trends that were already in motion–the migration of applications and data to the cloud and SaaS, increased use of BYOD and unmanaged devices, and users leaving the office to work remotely at home–rapidly accelerated as a result of the global pandemic. Technology trends like IoT and OT were gaining traction at the same time and added to the complexity. Unsurprisingly, these events triggered a sharp rise in ransomware, supply chain attacks, and other threats.
Organizations rapidly discovered that traditional security architectures, focused on protecting the network perimeter and everything inside of it, were no longer relevant because they are incapable of addressing today’s sophisticated threats. Protecting the modern business requires a new approach to security. So how are organizations addressing these challenges? Many are turning to zero trust. But despite the fact that the idea of zero trust began more than a decade ago, a lot of confusion remains. In his recent IDC analyst brief, ”Implementing Zero Trust as a Foundation for Secure Business Enablement,” Christopher Rodriguez, Research Director, Network Security Products and Strategies at IDC, discusses the concept of zero trust, seeks to eliminate the confusion, and examines the impact of a zero trust architecture on enterprise security.
What is zero trust, anyway?
Zero trust is a holistic approach to securing modern organizations, based on least-privileged access and the principle that no user or application should be implicitly trusted. It begins with the assumption that everything is hostile and the network has been compromised, and it uses identity and context to securely connect users to applications using business policies over the internet.
Rather than backhauling traffic to data centers for content inspection, zero trust delivers security as a cloud service at the edge, closer to where the user is located. This eliminates backhauling, and minimizes the number of hops between the user and their intended destination, thereby reducing latency and improving the user experience.
Building a strong security foundation
A zero trust architecture is the foundation upon which organizations can build their security ecosystem. In the IDC analyst brief, Chris identifies and provides detail on six key elements that comprise its core:
- Granular authorization of all users
- Strong identity and authentication practices
- Dynamic context-based policies
- Universal application of zero trust to all entities, subjects, and resources
- Continuous threat detection/protection
- “Need to know” access only connecting authorized users and applications
Zero trust is a strategy, and does not specify technologies that are required to implement it. However, current architectures were not designed to provide the tools necessary for zero trust. According to Chris, “The traditional security architecture is showing cracks with each passing year. Yet many organizations continue to take a ‘go with what you know’ approach, attempting to adapt on-premises security tools, firewalls, cloud services, and point solutions." Organizations that take this approach, rather than embracing a true zero trust architecture, will typically struggle to implement zero trust at scale across their enterprises.
Charting a path forward
Implementing a zero trust architecture enables organizations to optimize their security posture with strong identity validation, context-aware policies (e.g., location, time, device type/status, user behavior), and granular access controls. The zero trust architecture helps businesses reduce risk, eliminate the attack surface, and prevent the lateral movement of threats. The end result is simplified IT, improved costs and regulatory compliance, and a great user experience.
Are you thinking about implementing a zero trust architecture? Is zero trust already part of your plans? Read the full IDC Analyst Brief for more details. Chris’ analysis will help you understand the foundational elements and benefits of zero trust, dispel confusion, and reveal considerations for adopting a zero trust architecture. Get your copy today.