Digital transformation has rendered security strategies that were built around protecting the perimeter of an enterprise no longer adequate, especially in IT ecosystems in which there really are no well-defined edges anymore. It’s unfortunate, yet painfully true, that we live and work in a world in which trust is a quaint, almost archaic, quality. Nowhere is this more true than in the business world, which has grown wholly dependent on its IT infrastructures and systems.
Security becomes much more challenging when a company’s IT infrastructure extends beyond the walls of its building(s), with its networks connecting to customers, partners and third parties whose IT assets reside around the globe and in multiple public or private clouds.
Suddenly, it becomes relatively easy for hackers to access a company’s applications and data. Traditional perimeter defenses (often referred to as edge security) aren’t very effective. An organization’s anti-virus software, firewalls, user authentication programs and other long-standing security methodologies just aren’t a match for bad actors, foreign government agencies and others who spend their lives looking for ways into IT infrastructures to seize the data and other valuables that lie within.
As a result, data breaches and other malicious exploits proliferate. You may remember the ransomware attack on the Colonial Pipeline Company in 2021 that caused fuel shortages across the U.S. Hackers accomplished that with the use of a single password.1 Or the Solar Winds attack that exploited a routine software update and compromised about 100 companies (including Microsoft, Intel and Cisco) and about a dozen government agencies including the U.S. Treasury, Department of Justice, Department of Energy and the Pentagon.2 Or the 2021 data leak that exposed personal data belonging to more than 100 million Android users due to misconfigured cloud services.3
What is Zero Trust Security?
In 2010, Forrester research analyst John Kindervag introduced a new concept, which he called “zero trust.”4 In a nutshell, his concept rearranged the old maxim “trust but verify” into “never trust, always verify.” That means continuous identity verification of users, whether they are inside or outside your network perimeter. It requires monitoring of their activity to detect any unusual work patterns or areas of access, and the same for all devices being used.
Zero trust assumes that every user and device is a potential threat until proven otherwise. That sounds extreme but, unfortunately, it’s necessary. Assuming otherwise based on recognizing passwords, users and devices that have previously accessed your infrastructure before can cost you dearly.
What Can You Do To Implement Zero Trust?
We don’t want to ignite paranoia across your organization, but it’s important to understand that effective cybersecurity requires constant vigilance.
Here are some more fleshed out principles you can use as you consider how to implement a zero trust strategy across your IT infrastructure:
- It’s critical to increase vigilance, employing automation wherever possible given the ever-growing number of bad actors working tirelessly to penetrate IT enterprises that now have so many more attack surfaces.
- Grant users and devices “least-privilege” access to your entire infrastructure and review and update those privileges only as often as necessary.
- Assume all attempts to access your IT infrastructure are potentially threatening.
- Authenticate, authenticate, authenticate. One time authentication that then allows users and devices to roam freely around your infrastructure is an open door to trouble.
- Secure your data at all times – at rest, in transit and in use.
- Regularly review your cybersecurity policies and analyze and update them as threats require.
Zero Trust Is A Framework, Not A Product
While it would be convenient if there was a single zero trust product that could be quickly and easily deployed, that’s just not the case. Zero trust is a framework, not a product. It lays out a number of tenets that, when vigorously applied, can significantly reduce damage to your organization and reputation.
Understanding what zero trust is and how its underlying principles can apply to your organization is an important step forward toward a more secure IT infrastructure. From there, you can create a multi-disciplinary team including data security, network security, user and device authentication and other pertinent experts to create a zero trust implementation to protect your ever evolving IT enterprise.
You may need outside assistance with such an initiative and there are companies that focus on the various types of capabilities that together can deliver zero trust security solutions. You can find some on CoreSite’s IT Service Provider Marketplace, including:
However you choose to proceed, the key to success is to get started now (if you haven’t already) and to make zero trust a top priority.
Know More
CoreSite partner Seceon provides cybersecurity solutions that include real-time monitoring to identify and reduce security threats for enterprises.
Download the case study today and get in touch to know more about how CoreSite can improve infrastructure security.