You may be hearing the term "Zero Trust" more often these days. Though the concept has been around for years, it’s gained more traction since the mass migration of employees working remotely.
Zero trust centers around a strict methodology that requires everyone and everything trying to connect with an organization’s digital workplace environment to provide verification before getting access.
It may sound similar to what you’re already doing. Employees, clients and vendors probably already provide some sort of verification before accessing your system. But with zero trust, there are a number of added safeguards. No one is trusted by default, even those already inside the network perimeter. Why are all of these added safeguards necessary? We’ll break it down with two simple analogies.
Security Best Practices
When we talk to corporate decision makers about zero trust, one of the first things they typically say is, “I trust all of my employees.” This is probably true for most organizations. But, employee trust has little to do with why implementing zero trust is so important. The larger issue is that there are bad actors around the world trying to impersonate those employees and take advantage of the trust the organization has in them.
To illustrate how zero trust works, think of your organization’s digital workplace environment as a hotel, where individuals are constantly coming and going. In order to ensure the safety and security of the property, staff and hotel guests, the hotel puts certain safeguards in place. It may have security cameras in the parking lots, at all of the entrances and in the elevators. It requires some form of ID and a credit card when guests check in so it knows the people receiving room key cards are who they say they are. It also restricts key card access so each guest only has access to his or her room and no one else’s. Guests coming into the hotel aren’t offended by these precautions. In fact, they’ve come to expect them as best practices that are put in place for their own protection.
And, even with all of these precautions, security breaches may still occur. For example, a hotel guest who’s been verified at the front desk could accidently leave his room key card by the pool. Someone else could take the card and potentially gain access to the room. Or, the guest who’s lost the card could go to the front desk and request access to his room without proper identification. One simple mistake can open the hotel and its guest to compromised security. The same is true in the workplace. In fact, 80 percent of data breaches are caused by compromised and weak credentials.*
Zero trust offers organizations a set of sound policies and processes that help prevent intentional—and even unintentional—breaches of security by validating users, devices, applications and data on an ongoing basis. This helps ensure that everyone who’s interacting with your data is who they say they are, providing peace of mind to your organization, employees, clients and vendors. Without these stringent security safeguards, it’s only a matter of time before cyber villains show up without reservations.
Data Growth and Sprawl
Using our hotel analogy, it’s easy to see why certain safeguards are necessary to protect your organization and its data, regardless of how trustworthy your employees are. Things get more complicated when we consider that most businesses don’t have their data in just one location. Especially over the last year, many businesses have moved much of their data off premise to home networks or the cloud.
Twenty years ago, network security was all about safeguarding a location. It was common for all of an organization’s data to be housed in one place, where everything within that perimeter was protected. Eventually, new ways of doing business came along that required us to move portions our data to locations off site. Think of it as packing up your data and moving it to various storage units throughout the country or the world.
You may move one bundle to a storage unit managed by a third-party payroll provider. You pack two more bundles and move them to storage units managed by SaaS applications such as Microsoft Office 365 and Salesforce. A fourth bundle gets moved to a Google Cloud storage unit. Other bundles are moved to storage units that house data centers. Then COVID-19 hits and you move countless bundles to storage units managed by your remote users.
Before you know it, your data is being stored in 50 to 100 different storage units managed by a variety of sources. Some of the units may have top-of-the-line security systems. Others, like your home network users, may not have any security at all. What’s more, your home network users may move more bundles of your data to additional units such as Dropbox and IoT without you even knowing it.
Lastly, because organizations have so much data and it’s being moved to so many offsite locations, it’s not uncommon for data to be misplaced and duplicated. It’s like the Christmas lights you packed away and can’t find, so you go to the store and buy more. Lost and forgotten data is even more at risk, because no one’s making sure it’s being protected.
You can see why a location-based security model no longer fits the way most organizations operate.
Where to Start?
Because of the complex way data now moves across most digital workplace environments, implementing security isn’t as easy as implementing one or two solutions. Instead, zero trust involves a series of protocols that address the unique structure of each organization.
It begins by establishing trust for each component of a digital workplace environment—users, devices, applications and data—as well as the pathways that connect each component. This isn’t a one and done process. These components are continuously re-verified. Once an organization has visibility and analytics across its entire digital workplace environment, zero trust implements automated ways to orchestrate tasks for optimal workflow.
If your organization has experienced changes in the way you move and interact with your data and is still using a location-based security paradigm, Marco can help you assess your security risk and design a zero trust solution that addresses your unique needs.
*2019 Verizon Data Breach Investigation Report