Let me explain.
When I first started working in IT more than twenty five years ago, laptops and mobile phones were for the privileged few. Most people typically stayed in one place when they were online, in most cases using a desktop computer. This gave us set parameters that meant internet security was relatively straight forward.
Now, there's the cloud, infrastructure as a service, software as a service, bring your own technology and ever-increasing fragmentation and mobility of internet usage across consumers and networks. In Singapore, people own more than 1.5 devices on average, and they are on those devices for over 12 hours each day. What's more, people aren't just using their devices for personal use but expect to be able to conduct all of their business- from ordering groceries to paying their bills-on them too. They expect security and demand it.
The applications that enable customers to do all of that are no longer trapped inside internal networks, but on the cloud, distributed networks and traditional networks too. This makes nothing easy: security is a challenge, identity is a challenge, access is a challenge, meanwhile security is becoming more and more important.
With external threats evolving at an exponential rate and increasingly targeting internal environments, it's time for companies to take action and move from traditional security networks to a zero trust architecture on the cloud.
It's time to stop feeling safe behind walls that don't exist behind the firewall. Anything less will leave your networks, and your employees, at risk.
What is a zero trust security model?
It means verifying and never trust. It means you only deliver apps and data to authenticated and authorised users and devices, you inspect and log traffic proactively and you prevent malware and dns-based breaches while ensuring fast and reliable apps.
This may sound a little drastic, so it may be helpful to look at this in practice.
Let's take your HR system as an example. This is a goldmine for cybercriminals. With the hundreds of employees' data, including personal, financial, behavioural and professional details, imagine how happy a hacker would be if he/she were to hack that system and steal those identities.
In this context, a zero trust architecture would mean that only a handful of people are able to access that system and manage the data and even then only parts of that network - enough to fully perform their job. That access and authorisation is pre-determined in the design of the infrastructure, so it can't be tampered with. The notion of network segmentation as the primary mechanism for securing the infrastructure, as with traditional network security, is dismissed.
Instead, all applications and services are deployed to the public internet, where access is granted based on a device, its state, and the associated user. Like the HR manager in this case. This significantly mitigates the risk of a breach.
Beginning your journey
So, in the land behind the firewall, how do you start your zero trust journey? As with any journey, it starts with walking out of the door. Leaving those traditional barriers between inside / outside security networks behind and venturing into the cloud where we have the ability to enforce a zero trust architecture.
There are five key principles:
- The network is always assumed to be hostile.
- External and internal threats exist on the network at all times.
- Network locality is not sufficient for deciding trust in a network.
- Every device, user and network flow is authenticated and authorised.
- Policies must be dynamic and calculated from as many sources of data as possible.
Let's put this into practice. If I come to visit your office, I handover my ID - identifying who I am and then that allows me into your office. I'm like a VPN gaining access to your office. If you assume everything is hostile - that's a totally different approach. I only get to see the door of your office, I don't even know the other doors exist. If you think about it, why should call center employees have IP access to source code repositories? Or why should a contractor using your billing system have access to the credit card processing terminals? Access should be to just those applications needed in order to perform a role.
This sounds hostile, but in today's business landscape it starts to make sense. With the stakes of cyberattacks higher than ever, and cybersecurity hygiene left far too close to the end-user in most cases, it's time to stop feeling safe behind walls that don't exist and to build a zero trust web security fortress in the cloud.