Foreword: First, to the IT security leaders who spent countless hours responding to the need to secure a new, remote workforce during the pandemic - congratulations for what I’m sure, for many of you, was one of the most challenging and significant accomplishments of your career.
When Zscaler first began to hear from companies about the need to enable a mobile workforce, we anticipated two things would happen. First, many organizations would look for a quick, short-term solution to the problem and scale up their use of remote access VPN. In fact, this can be seen from the data below provided by Wipro’s State of Cybersecurity Report 2020. See how more than 90 percent of organizations view increased VPN capacity as a top priority:
Second, we anticipated that quickly adapting to a remote workforce would lead to what would be the largest attack surface in the history of security. As the use of VPN technology adoption skyrocketed, so too did the number of internet-based exploits looking to capitalize on the fact that they are used to connect users to the corporate network. In fact, there are now almost 500 known vulnerabilities on the CVE database actively targeting VPN. Some examples of VPN-based exploits include:
Each of these exploits poses a considerable threat to a business. To combat them, companies are now looking to embrace zero trust architectures as a means of connecting users to business applications, therefore eliminating the need for VPN and avoiding placing users onto the corporate network or exposing resources to the internet.
The companies that had already begun their zero trust journey benefited greatly, as they already had the foundation technologies in place to protect their data, ensure least-privilege access, and deliver the experience their users needed when it mattered most. They simply scaled up their zero trust services.
Business continuity in 2020 taught us that location no longer matters when it comes to the productivity of employees, and that the rise of a new, hybrid workforce has accelerated transformation to cloud services that can better enable business growth and competitiveness. This has opened up new avenues for cloud-delivered security technologies that were designed to connect users, who are now working from anywhere, to critical business applications. This is why the adoption of zero trust architectures has grown by leaps and bounds, and is expected to continue, due to the fact that more than 80 percent of IT leaders say it’s a priority post-pandemic, per Wipro’s research.
As security leaders look to embrace these architectures, they need to first understand what zero trust means and be sure to avoid the misconceptions that often surround the topic. They should note that the term “zero trust” has been around for more than 10 years. The problem was that it was always based on the notion of network connectivity—connect a user to a network where the applications lie and then segment the network with internal firewalls to minimize lateral movement. This was complex to manage and implied trust of users by allowing remote users to VPN onto the network via tunnel, and in-office employees to access the network simply because they were already working from HQ or a branch office. This is the opposite of zero trust.
Zero trust is about beginning with the notion of trusting no one, and only establishing trust by first relying on context - the identity of the user, and the business policies defined by IT - to provide access to specific apps, never the network itself. As the user leaves the company or the health of the user device they are connecting from changes, the business policies then adapt to minimize risk to the business. These capabilities are key to enabling the success of the business now and in the future.
It’s also important to realize that not all zero trust services are the same. Some are hosted as fully cloud-delivered services that are managed by the security vendor. Others are deployed as on-premises gateways hosted and managed by the customer themselves. Architecture matters more than ever.
The good news is that with zero trust, security leaders now have the rare ability to actually drive the secure transformation of their business, rather than get swept up in the change. Here is what I mean by that:
Knowing where to begin is always the hardest part of embracing something new. Below are some tips to consider when it comes to your zero trust implementation:
Download your copy of Wipro’s State of Cybersecurity Report now.
Join us to learn how the latest Zscaler innovations will enable you to accelerate business transformation by embracing zero trust. Learn more about the event: https://info.zscaler.com/seize-the-zero-trust-moment