Zero trust security is not new, but as computing moves away from the physical confines of the company – with applications moving into the cloud and users going mobile – the concept is increasingly relevant. IT professionals are facing a harsh new reality: they can no longer manage it all.
Until recently, most companies established a ‘perimeter’ to separate their digital workplace from the big, bad internet. The perimeter was a tangible thing. Companies would secure the building, lock down access to the data center, manage every device and operate the network over which sensitive data travelled.
One shortcoming of perimeter solutions is that they grant users access to the network based on implicit assumptions. If the user is attempting to access sensitive documents from the corporate network, their request is typically granted if they are in the building. This approach offers no protection against threats that may have penetrated the perimeter. More fundamentally, it assumes that the user, their device and the network are trusted simply because they are managed by the company.
Real life isn’t so perfect. Users leave their passwords on sticky notes or fall for phishing attacks. Bad guys sneak into buildings. Malware compromises the integrity of systems. Each of these instances accelerates the need for change. Mobility and the cloud were the final straw; a different approach is now needed.
Zero trust doesn’t make assumptions. Instead, it bases decisions on robust authentication mechanisms and context-aware access control. If an employee uses a device to check the time of their train home, building trust might not be a priority, If they are using that device to access corporate files, trust is critical. On-prem techniques can’t make this distinction.
Identity Matters
Good security begins with accurately identifying the user requesting access. If this can’t be determined (and verified!), access shouldn’t be granted.
Each employee has a unique identity, but this becomes muddled with password-based authentication, which requires users to juggle different credentials for all their applications, especially when they are told never to re-use the same password. In reality, users often ignore this advice, picking easy-to-remember passwords. This means passwords aren’t an accurate determiner of the user’s identity so .password-based authentication can’t be the only line of defense.
Solutions help. Identity and Access Management has enabled enterprises to better manage access to cloud applications. Additionally, multi-factor authentication makes verification more accurate. Yet even if these tools do their job, it doesn’t necessarily mean the user is who they claim to be.
Context is Key
Context matters when determining if access should be granted. A request from the CEO to access the quarterly results may be rejected if it comes from an unknown device, originating in a country to which she has never travelled. Just because an employee has been verified, that doesn’t make the network they’re connected to – or the device they’re using – secure.
Zero trust takes all of this information into account, incorporating ‘conditions’ such as geolocation information, device type, operating system (OS), network context and other factors as part of the access policy.
The concept of ‘conditional access’ forces decisions to be made for each and every access request, rather than based on information collected at sporadic intervals. After all, much can change between – and within – sessions.
Some organizations may harbor concerns that zero trust hampers productivity. Quite the opposite is true. An employee trying to access an application using an outdated OS could be given ‘read only’ access along with a prompt to upgrade. Full privileges can be reinstated once the upgrade is completed. It’s about striking a balance, providing access within the correct security parameters.
Identity is an important part of the authentication process, but to be effective, it must be combined with conditional access. It’s time to stop basing security on assumptions, and move to a zero trust model.