The continued growth in frequent and successful cyberattacks on enterprises puts into question whether traditional security strategies are effective as businesses go through huge digital transformations.
The failure of current architectures is often down to the misconception that all on the inside of an enterprise’s network can be trusted. This is coupled with inadequate visibility, control and protection of data flowing in and out.
Many enterprises also fail to balance network confidentiality, integrity and availability, according to John Kindervag, vice president and principal analyst for Forrester Research. To protect enterprise applications from malicious attacks, the market research company advises IT security decision makers to adopt what it calls a Zero Trust approach.
The Zero Trust security model addresses the failings that exist in traditional security strategies by taking out the assumption of trust. With Zero Trust, essential security capabilities are utilized, reinforcing policies and protecting all devices, applications, data and information flow, regardless of where the user is located.
It must be noted that the Zero Trust model is a vendor neutral philosophy centred on flexible architectures designed to meet individual security demands.
The traditional approach to security is undoubtedly failing, as we see more and more enterprises fall foul of malevolent attacks. According to a survey by PriceWaterhouse Cooper, the total number of security incidents detected by respondents grew to 42.8 million around the world, up a staggering 48% from 2013. This averages out at 117,339 attacks a day.
The fastest growing cyber-threats come from nation states, competitors, and organized criminals. At the same time, PwC found that cyber-criminals are switching their attention to medium-size companies as large enterprises shore up their security efforts.
External attacks are carried out via a host of methods and incorporate multiple steps, targeting vulnerable applications, networks and employees. Malware is no-longer the biggest problem. Today’s hackers are running scripts which makes them difficult to detect as they worm their way through the network.
Attacks are not just external. Internal incidents account for a large number of breaches happening today. According to Forrester, many partners or third-party suppliers are being compromised and used as a gateway to gain access to enterprise’s sensitive data.
The Zero Trust approach is designed to change the way enterprises thing about cybersecurity and better protect their data assets, whilst allowing free flow of information internally.
Many global corporations have or are looking to adopt Zero Trust. Google, for example, is building its internal corporate infrastructure around the Zero Trust model, which it has dubbed the “BeyondCorp” initiative. The model grants employees very finally grained access to various resources on its networks.
Many defences are not strong enough
Hackers are targeting organizations they see as being vulnerable. According to Forrester’s latest research, 41% of US security professionals estimate that their company’s sensitive data was compromised or breached in the last twelve months.
Many enterprises are using outdated technology, relying on defences such as VPNs and perimeter firewalls, which were implemented way before the sophisticated hacking methods being used now.
Embracing Zero Trust
Zero Trust creates barriers that basically compartmentalize different parts of the network. This allows a circle of steel to be formed around critical data, protecting it from unauthorized applications or users. It also safeguards vulnerable systems and stops malware infiltrating the network.
For the Zero Trust model to work, security architects must redesign their segmentation around business requirements to shore up defences. This application segmentation is “an essential practice of proper security hygiene”, Forrester states in its report, and requires the right tools.
Enterprises need to adopt business-centric segmentation technologies such as application-based cryptographic segmentation with access control, which must be designed to protect applications inside and outside the network.
The Zero Trust approach is underscored by the mantra “never trust, always verify”. Zero Trust does not put trust in any entity, regardless of what it is and is location or its relationship with the enterprise network. The principle being trust no one to keep cyber-snoopers and malicious intruders out.
Discover our range of security solutions from authentication and authorisation through to malware protection and network defense.
Jan has been writing about technology for over 22 years for magazines and web sites including ComputerActive, IQ magazine and Signum. She has been a business correspondent on ComputerWorld in Sydney and covered the channel for Ziff-Davis in New York.