The Future of Security: Continuous Verification and Beyond
By Eric Sugar, President of ProServeIT
Companies are still adjusting to the rise of the hybrid workplace and the necessity to spread digital assets across on-site networks and the cloud. With operating environments becoming increasingly complex, modern businesses need a new security paradigm.
In 2010, an analyst at Forrester Research came up with a novel security model and dubbed it Zero Trust Architecture (ZTA). Only a few years later, Google stirred widespread interest in the concept by revealing that it was deploying Zero Trust security across its network. Today, Gartner, a respected global advisory and research firm, predicts that 60% of businesses and organizations will embrace the Zero Trust security strategy by 2025.
Demystifying Zero Trust
Zero Trust security requires users to undergo stringent identity verification before accessing private network resources. It employs a wide range of strategies to verify ID — whether users are inside the network or not. The primary technology that allows businesses to adopt Zero Trust security is known as Zero Trust Network Access (ZTNA).
Conventional network security involves an approach similar to digging a deep moat around a castle. While outsiders have a tough time gaining entry, insiders enjoy complete access and trust to everything within the network. The downfall is that once hackers breach a network’s defenses, they gain complete control.
With businesses increasingly turning to cloud providers for data storage, the old castle-and-moat security systems are much more vulnerable than before. They are not storing data in one central location and cannot implement a single layer of network security. Zero trust means all users — both internal and external — must prove their identity before accessing network resources.
What are the principles behind Zero Trust?
Continuous monitoring and validation make up the primary principle of Zero Trust. The security trusts no one and assumes attackers can be on the inside and out. Zero Trust systems perform authentication at both the user and device levels. Because logins and connections routinely time out, constant re-verification of both the devices and the people using them is essential.
Least-privilege access is another important tenet of Zero Trust security. Limiting each user’s access to only the specific information they require reduces a lot of needless exposure to sensitive data in the network.
The third tenet of Zero Trust is device access control. To ensure that only authorized devices gain access to the network, zero-trust systems track the number of devices trying to connect to the network and perform vulnerability assessments on each. This significantly reduces the network’s susceptibility to outside attacks.
Micro-segmentation is another principle of Zero Trust networks. This refers to the process of dividing large security perimeters into several smaller zones. The process allows the creation of multiple isolated and protected areas within a single network. A user accessing one of these areas will need additional clearance to enter the others.
Zero Trust is also based on the prevention of lateral movement. The term “lateral movement” refers to the process by which an attacker moves laterally within a network after gaining access. In a Zero Trust system, access is segmented and must be re-established at regular intervals. This enables the security measures of a Zero Trust system to contain attackers more often than traditional systems and prevent them from moving throughout the network.
Zero Trust security also relies on multi-factor authentication (MFA). This means users need more than a password to log in. For example, popular websites like Google and Facebook often use two-factor authentication, requiring users to provide two forms of identification — a password and a code transmitted to a second device, like a cell phone.
The benefits of implementing zero-trust security
The zero-trust model is far more suitable for today’s IT settings than the security models of the past. In today’s hybrid and remote work environments, it allows a wide range of people and devices to safely access data. It also permits businesses to store sensitive data both locally and remotely.
Applying the Zero Trust principles of continuously monitoring and least-privilege access greatly minimizes an organization’s vulnerability to outside attacks. In addition, by demanding two or more forms of authentication, Zero Trust mitigates the dangers of attacks as a result of stolen user credentials.
IoT devices, or computing hardware like sensors and appliances that connect wirelessly to a network, are notoriously difficult to secure and update. Zero Trust security mitigates the risks posed by these devices by checking each and every request through device access control.
In addition, when threats inevitably find their way around a network’s defenses, a Zero Trust system applying micro-segmentation and prevention of lateral movement reduces recovery costs by containing breaches to isolated areas of the network. Recent studies reveal that a single data breach costs an average of over three million dollars, so minimizing the impact of each and every cyber-attack is well worth the effort.
Through the strategic elimination of implicit trust and the continual validation of digital interaction, Zero Trust seeks to provide secure environments in today’s complex operating systems. Grounded in the adage “never trust, always verify,” Zero Trust protects contemporary networks through strong authentication methods, network segmentation, prevention of lateral movement, and least access policies.
Whether it’s helping his employees remove roadblocks, educating customers on how various technologies can make their jobs and their lives better, or instructing leaders on the importance of corporate and personal cybersecurity, Eric Sugar, President of ProServeIT, always takes a people-centric approach to his role. With over 25 years in the IT industry, Eric’s been with ProServeIT since its inception in 2002.