Opinion: Adopting a Zero Trust mindset
Sebastien Pavie, regional director for Cloud Protection and Licensing Activities at Thales, on why a verify-everything, trust-nothing model works
Many organisation are at a crossroad as they revisit their digital security strategies. The costs associated with digital crime and security incidents are on the rise and according to a study conducted by IBM Security and the Ponemon Institute released last year, the average cost of data breaches in the Middle East was $5.31 million in the first half of 2018. That is a 7.1% year-on-year increase.
Now however, organisation are increasing their spend on their digital security efforts more than ever. Gartner estimated that security spending in the MENA region will reach $1.9bn in 2019, as companies improve cloud and data security. The analyst company predicts increases across all segments of security, with growth of 9.8% over this year.
As the cost of data breaches continue to rise, organisation now face the imminent challenge of maximizing their security investments.
One model gives way to another
The classic network perimeter model has little to offer by way of resolution. The model dates back to an era when deskbound employees connected to corporate systems at the workplace.
With agile work and remote access now adopted by an overwhelming number of organisation, perimeter security has evolved to work double time, securing inbound and outbound network traffic as remote users connect to on-premise corporate systems and internal users access the internet.
Given the increasing number of digital nomads who continue to connect to the network from all corners of the earth, businesses are having to adapt their security measures for highly agile workforces.
Now, they also have cloud-based assets, systems containing sensitive customer information, as well as vendors and suppliers who require increasing levels of network access. Simply put, there are too many sources of network access for the classic perimeter model to work effectively.
Some companies are trying to address this challenge by trying to maintain a perimeter, forcing all network traffic to go through a proxy (WAM or traditional network security appliances) but this model cannot easily scale up, can impact user experience (network latency) and undermines the fundamental benefits of the cloud which is that it is always available. So why would a company route all user traffic to an on-premise proxy that can go down, preventing employees to work, when more efficient and secure solutions already exist?
Enter the Zero Trust mindset of “Verify everything, trust nothing.” This perspective dismisses the notion that internal users and devices can automatically be trusted. Guilty until proven guilty? Not when it comes to organisation adopting a Zero Trust mentality, which treats all devices, network infrastructures and users as untrusted by default, in an attempt to ward off a breach.
Where IAM fits in
This model of thinking is unachievable without identity and access management (IAM). That’s because Zero Trust revolves around the various identity aspects of each user. According to Microsoft, a Zero Trust mindset first and foremost requires that security teams establish the identity of each user; only then can they use multi-factor authentication and other core IAM components to verify that each user has a high assurance session, is using a valid machine and is accessing the appropriate types of file shares.
Looking ahead, IAM will become an even more prominent pillar of organisation’ Zero Trust strategies and there are three emerging IAM trends that point to this development. The first is that IAM will progressively provide Zero Trust frameworks with context, meaning that IAM solutions of the future will use greater integration to embed identity data into data protection and network forensic systems. This will help security teams tie data assets and information packets to specific users on the corporate network.
The second is that IAM architectures will increasingly make use of data identity. In general, more IAM products will enable security teams to manage identity data and tie it to employee access rights. To prepare themselves, security teams should assign data access privileges to employees and include data assets into all access-certification campaigns. Finally, the third trend is that IAM suites will become loose, pre-integrated offerings. Classic IAM suites that require clients to install everything are steadily giving way to API-based microservices. Zero Trust vendors are expected to adopt this evolving approach to IAM. In so doing, they’ll help ease the burden of implementing IAM for many organisations that subscribe to a Zero Trust mindset.
Adopting a Zero Trust mindset
Long gone are the days where organisations could rest assured that current systems are sufficiently secure. Security incidents are increasing in tenacity and determination as they hone in on vulnerable systems. The time is now for organisation to consider adopting a Zero Trust mindset so that they can begin to integrate the fundamentals of a Zero Trust framework into their own corporate environments.