It all started with the pandemic. By 2020, the world had already witnessed a massive shift in the way people worked. With the rise of Covid, work from home quickly became the norm instead of a perk being offered by numerous organisations. As Covid continues to play hide and seek, many enterprises are calling their employees back to offices, while others continue with the seemingly well-oiled work-from-home model. However, most experts believe that once the pandemic is completely over the world would have permanently moved toward a hybrid working model.
This shift towards a predominantly hybrid work model adds significant complexity for IT teams tasked with making the model function securely. This is because each hybrid worker presents new opportunities for malicious actors. And, with organisations looking at hundreds or thousands of such employees, the points of attack (and therefore failure) expand exponentially.
The older perimeter-centric approach to cyber security cannot cope with this new paradigm. Organisations need to have the right tools and policies to ensure that employees requesting access to their systems are who they say they are. This is essential for protection against the rising instances of social engineering attacks, where cyber-criminals impersonate authorised individuals or responsible entities who may have a legitimate need to access corporate information and infrastructure. There are numerous examples of such incidents, including a recent case where hackers extracted data from multiple organisations by impersonating law enforcement officials.
Organisations also need to validate the authenticity of devices and applications that their hybrid workforce and digital nomads use to access company information and ensure that the networks that they are connecting to are secure.
Zero Trust is precisely what it sounds like. Instead of assuming that everything ‘inside’ the IT environment is trustworthy by default, every user, device, and application is considered a threat that requires verification for every instance of access outlined within a Zero Trust security framework.
The origins and development of the Zero Trust principle began in 2010, when John Kindervag, a Forrester Research analyst, coined the term 'Zero Trust'. In 2017 Forrester introduced 'Zero Trust extended', a refined version of its original Zero Trust guidance. Gartner also introduced its take on Zero Trust, calling it Continuous Adaptive Risk and Trust Assessment, or CARTA. Then in 2020, NIST released its definition of Zero Trust in Special Publication 800-207: Zero Trust Architecture. Since then, Zero Trust has been growing in popularity and significance, as it is seen to be an excellent perspective to meet evolving cyber security requirements.
By adopting zero-trust, organisations can block attackers at every point in the attack chain. For example, if the attackers have successfully worked around user authentication their devices (which also need to be separately verified) will be denied access. The Zero Trust security model also helps protect against internal threats. If an authorised user using an approved device decides to use an insecure application or visit a restricted website, they would not be permitted to do so.
Zero Trust also helps prevent lateral movement, since bad actors with malicious intent would be barred from gaining unfettered access to an organisation's IT systems. Also, if a breach does occur, with the Zero Trust security model in place, unpermitted access would be limited only to the permissions scope of the hacked user, device, or network.
As you evaluate your journey toward Zero Trust security model adoption, here are a few basic questions you’ll need to answer:
These questions will help you analyse the existing application and user landscape to determine the attack surface that needs to be protected.
"Remember to evaluate the experience and expertise of your staff with Zero Trust, as you may want to consider working with an experienced partner to help you navigate your Zero Trust journey."
To conclude, if your organisation is not taking advantage of the Zero Trust model to protect your hybrid workforce, this is the right time to consider making the shift. Embracing Zero Trust will improve your security posture, protect your sensitive data, and offer your workforce and other stakeholders the peace of mind they need.
Read our whitepaper on Zero Trust security model to know more about getting started on your Zero Trust journey.