Zero Trust and its role in enabling a secure, hybrid working enterprise
Written by Mark Cooke, Chief Operating Officer, Xalient
Today’s enterprises conduct business and use digital technologies in ways that are evolving constantly. This digital transformation is making traditional perimeter-based cybersecurity IT infrastructure redundant. The days when every user and every device that are sat inside the organisation’s premises or firewall can be automatically trusted, are over for good.
For decades, the enduring principle in corporate IT policy was the ‘castle and moat’ approach to securing user access to applications. Everything that needed to be accessed securely sat inside the castle and once the drawbridge was up and the castle was protected by its moat (or firewall), nothing unknown could get in or out, and everyone could trust each other. However, over the last 10 years applications and workloads have moved to the cloud, and users are increasingly accessing them remotely via the internet. This means that traffic is going from a user that was sitting inside the castle to an application that now sits outside. The network is no longer a secured enterprise network. Instead, it is the unsecured internet and the solutions employed to keep attackers out are no longer effective.
In addition to the technological changes in the way enterprises operate today, there have also been massive global macro-economic shifts that have fundamentally changed the way companies hire staff and engage with customers around the world. This globalisation of business and trade is an unstoppable trend and has been accelerated by the pandemic, with employees potentially working anywhere. The result is that organisations have been looking carefully at how they solve the problem of allowing employees – wherever they are located physically – to access mission-critical applications securely.
In the pre-Covid era, remote work was not uncommon, but now that working from home has become widespread, security technologies and processes based purely on established geographic location are becoming irrelevant. Overnight in some countries, tens of thousands of workers have gone from the office to being at home where they are sharing broadband connections with family, friends, and gamers. With a remote workforce, the use of potentially unsecured Wi-Fi networks and devices increases security risks exponentially.
Not only are employees’ work from home setups and environments not as secure as the office, but the broadband connections are weaker too. This means their experience of trying to access office applications is suboptimal. Their Wi-Fi router may not have been configured for WPA-2; their IoT devices on the home network, like baby monitors or smart thermostats, are running a hodge-podge of security protocols, if any; and all this is being managed through a corporate VPN that is slowing traffic down even more. It’s not difficult for a threat actor to work out that an organisation is using a centralised firewall and then launch a DDoS attack that threatens to take down the business.
Zero Trust verification
In this environment more and more enterprises are now adopting a Zero Trust approach. Zero Trust is a security concept centred on the belief that organisations should not automatically trust anything inside or outside its perimeter and instead must verify anything and everything trying to connect to its systems before granting access. Without an overarching system like a Zero Trust framework, employees working in a secure environment can no longer be verified — or controlled. Zero Trust employs least-privilege and “always-verify” principles, offering complete visibility within the network, whether in data centres or the cloud.
CIOs, CISOs and other corporate executives are increasingly implementing Zero Trust as the technologies that support it move into the mainstream; as the pressure to protect enterprise systems and data grows significantly; and as attacks become more sophisticated. By removing the centralised approach to policy enforcement and moving towards more of a distributed SaaS model where security is delivered via the cloud – coupled with encryption and SD-WAN technology – identifying the user and providing access to the applications they want becomes far more effective and cost-efficient compared to MPLS. This approach enables distributed teams to collaborate and talk to each other without requiring centralised locations and security postures that mandate VPNs, with associated costs and poor performance issues.
Challenge and benefits
It is undoubtedly a challenge for most large enterprises with established IT teams that have worked on a ‘trust but verify’ basis using corporate firewalls and VPNs, to change direction and move towards a Zero Trust basis, but in our view adopting this approach does bring other benefits. In a Zero Trust environment, security controls are deployed with the assumption that the network is already compromised. No unauthorised processes or applications are allowed to execute, and authentication is required for access to data.
With no network perimeter for the enterprise to manage, users can be anywhere and on any device. The devices that workers use are less likely to be ones assigned by the employer. Employer-owned laptops and phones are traditionally managed, patched, and kept up to date with security tools and policies. However, with everyone working remotely, employees may forget basic cyber hygiene skills and start to use their own devices to access work networks or apps. They could be using their work laptops to shop online between Zoom calls. Even if zero trust security can’t force employees working at home to use work devices only for work, it can control the potential for a security breach because of the fundamental “trust nobody; verify everything” rule that enforces access controls at every point within the network.
If the enterprise moves to a managed cloud or even hybrid cloud platform and all policy is managed from a single point across the whole organisation, CISOs can customise and improve the user experience by only giving employees access to the applications they need to work with, thus reducing latency on remote connections. From a user perspective they get the quickest access to the apps they need the most.
More cost effective than MPLS
Another benefit for CISOs is a reduction in Capex when compared to MPLS networking. Historically, businesses have made huge investments in centralising firewalls and maintaining all the software and hardware required to support their security policies. This expense all moves away as cloud security becomes driven through the SaaS platform and on-demand pricing.
SD-WAN is a core component of Zero Trust and also makes management of it easy, allowing IT to avoid complex network-security architectures, and removing the convoluted connections between appliances and users, while providing the highest security through a cloud-delivered model. Instead of appliances, all traffic is securely connected through a cloud-delivered service, whatever the connection type – mobile, satellite or home broadband. And because the intelligence of the network is software-driven and orchestrated centrally, it can manage the user’s journey through an insecure internet to the location of the application and compresses other applications to make it a vastly more efficient and less costly experience. Moreover, crucially for the enterprise, not only is this all done in a secure way using encryption which enables integrity between the user and the application, but SD-WAN delivers more agility and choice than legacy MPLS.
Without a doubt in 2022 security will be high on the C-Suite agenda. With intensifying trade disputes, an escalating threat landscape, a highly distributed workforce, supply chains stretched to breaking point by the pandemic, and extra pressure exerted by the ongoing effects of Brexit and other escalating geo-political issues, having a secure, productive, agile and cost -effective security framework in place will be paramount.